cryptolocker | bd2b881e8f1cd1bde16f910afaaa58b53128fca3e84b901126b5abb12b023289

General

Target

Company Schedules New - Image Slideshow.exe
Size

208KB
MD5

12bc78e07cb69dd6ec32729240dbe537
SHA1

7b7d9b115ec10074f7166ec3379fead6e816da59
SHA256

5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9
SHA512

c974592671b081d0af48c1aab9f9f02243773a081d9fadf70e3caa7454dca657b45bece27852397e74f601df1abdf5db496c821a5df624057355fd15c807e15a
SSDEEP

3072:GXbUMNAwQ2Jpo/AkQCUyevi8xRpz81NADJ2:ibUMKwQ2J4ReviSjeKN

Score

10^/10

cryptolocker ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\decrypt_instructions.txt

Ransom Note

Welcome to Wizard Ransomware... Admin, here's what happened... All files are encrypted with Advanced Encryption Standard 256. Maybe you noticed something? Your documents are now unreadable and corrupted. You can wonder how to decrypt it, but... No chance of that, sorry. So, what can you do now? You only have one option to decrypt your files, lets see... If you want your important files back you will need $100 in Bitcoin. However, we are able to discuss this price, maybe we can talk it down, we aren't evil. Want to start the process? You should e-mail us at: [email protected] Include your ID in the e-mail, your ID is: ApNNYyGCRCbx2PstwMd0c8ZsC What if I don't pay? Nothing, meaning your files will just be encrypted forever... Bad outcome, right? However, we recommend you be quick, because our operations get shut down fast. Have fun, we're out... Sincerely, Wizard Ransomware.

Emails

[email protected]

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ApproveMount.png => C:\Users\Admin\Pictures\ApproveMount.png.wizard	Company Schedules New - Image Slideshow.exe
File renamed	C:\Users\Admin\Pictures\BackupMeasure.png => C:\Users\Admin\Pictures\BackupMeasure.png.wizard	Company Schedules New - Image Slideshow.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Company Schedules New - Image Slideshow.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4400	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4484	WMIC.exe
Token: SeSecurityPrivilege	4484	WMIC.exe
Token: SeTakeOwnershipPrivilege	4484	WMIC.exe
Token: SeLoadDriverPrivilege	4484	WMIC.exe
Token: SeSystemProfilePrivilege	4484	WMIC.exe
Token: SeSystemtimePrivilege	4484	WMIC.exe
Token: SeProfSingleProcessPrivilege	4484	WMIC.exe
Token: SeIncBasePriorityPrivilege	4484	WMIC.exe
Token: SeCreatePagefilePrivilege	4484	WMIC.exe
Token: SeBackupPrivilege	4484	WMIC.exe
Token: SeRestorePrivilege	4484	WMIC.exe
Token: SeShutdownPrivilege	4484	WMIC.exe
Token: SeDebugPrivilege	4484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4484	WMIC.exe
Token: SeRemoteShutdownPrivilege	4484	WMIC.exe
Token: SeUndockPrivilege	4484	WMIC.exe
Token: SeManageVolumePrivilege	4484	WMIC.exe
Token: 33	4484	WMIC.exe
Token: 34	4484	WMIC.exe
Token: 35	4484	WMIC.exe
Token: 36	4484	WMIC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1748	2548	Company Schedules New - Image Slideshow.exe	86
PID 2548 wrote to memory of 1748	2548	Company Schedules New - Image Slideshow.exe	86
PID 2548 wrote to memory of 3792	2548	Company Schedules New - Image Slideshow.exe	88
PID 2548 wrote to memory of 3792	2548	Company Schedules New - Image Slideshow.exe	88
PID 1748 wrote to memory of 4484	1748	cmd.exe	90
PID 1748 wrote to memory of 4484	1748	cmd.exe	90
PID 3792 wrote to memory of 4400	3792	cmd.exe	91
PID 3792 wrote to memory of 4400	3792	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\Company Schedules New - Image Slideshow.exe
"C:\Users\Admin\AppData\Local\Temp\Company Schedules New - Image Slideshow.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All/ Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /All/ Quiet
    3⤵
    - Interacts with shadow copies
    PID:4400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2548-132-0x0000000000590000-0x00000000005CA000-memory.dmp

Filesize
232KB

Download
memory/2548-134-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/2548-138-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing