cryptolocker

General

Target

MyCode.exe
Size

39KB
Sample

240706-r5bv2atenc
MD5

70289b7819fa6c4843f3dbf868f89f48
SHA1

2f7a6cd6e8ad0ca190acaf7ccf613183044a0587
SHA256

ebfcca4ca03a8a89a73501632e23383d274a8cea686bed4359153d863652dd2e
SHA512

cea9a878a1e109e80d2e2493d5bd2ac062a89987b67305b4dd3dff2b06f57c6b2a4f80d8be965276e85101a1d36df071c5e9add4940e18a2ae3d454b245210e4
SSDEEP

768:BPv2tlOzFKuGCuuJ/5c/lpfFWPJ92yF6dOMhHjhC:BGroIrCuuJefFe92W6dOMFA

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:24920

6.tcp.eu.ngrok.io:24920

4.tcp.eu.ngrok.io:24920

5.tcp.eu.ngrok.io:24920

0.tcp.eu.ngrok.io:24920

20.ip.gl.ply.gg:24920

Mutex

qp0SiG21yxPKVpTy

Attributes

Install_directory
%AppData%
install_file
Upgrade.exe

aes.plain

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

- Target
  
  MyCode.exe
- Size
  
  39KB
- MD5
  
  70289b7819fa6c4843f3dbf868f89f48
- SHA1
  
  2f7a6cd6e8ad0ca190acaf7ccf613183044a0587
- SHA256
  
  ebfcca4ca03a8a89a73501632e23383d274a8cea686bed4359153d863652dd2e
- SHA512
  
  cea9a878a1e109e80d2e2493d5bd2ac062a89987b67305b4dd3dff2b06f57c6b2a4f80d8be965276e85101a1d36df071c5e9add4940e18a2ae3d454b245210e4
- SSDEEP
  
  768:BPv2tlOzFKuGCuuJ/5c/lpfFWPJ92yF6dOMhHjhC:BGroIrCuuJefFe92W6dOMFA
Score

10^/10

cryptolocker wannacry xworm bootkit defense_evasion discovery evasion execution impact persistence ransomware rat spyware stealer trojan worm
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- CryptoLocker
  Ransomware family with multiple variants.
  ransomware cryptolocker
- Detect Xworm Payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Disables Task Manager via registry modification
  evasion
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1