cryptolocker

General

Target

Krnl_8.10.8_x64_en-US (1).msi
Size

5.0MB
Sample

241207-p3dkqsyjbq
MD5

b837d10b9a71425dbf3d62b2cc59f447
SHA1

85c9ba3331f7eb432c28365b0d1f36a201373a72
SHA256

76c83d1bebd6b01bab76d9a94f223e1a3cf20f2040b8d58a12625074e2936f7c
SHA512

f20999d19c470941c85912725d6f89c5073d475572ece92ce5b8e5425cdf012950f230c353870d86469ab6658bdc504abbb41260cb676f109551860433bcb405
SSDEEP

98304:XPky+agPtUpupDeOds+883iSh79bubjnvmu5/qv4eYb2Tqg9EeYImwqPY6Bvv8m:XPky9GtAcdsENbubzSJb9lyw

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Targets

- Target
  
  Krnl_8.10.8_x64_en-US (1).msi
- Size
  
  5.0MB
- MD5
  
  b837d10b9a71425dbf3d62b2cc59f447
- SHA1
  
  85c9ba3331f7eb432c28365b0d1f36a201373a72
- SHA256
  
  76c83d1bebd6b01bab76d9a94f223e1a3cf20f2040b8d58a12625074e2936f7c
- SHA512
  
  f20999d19c470941c85912725d6f89c5073d475572ece92ce5b8e5425cdf012950f230c353870d86469ab6658bdc504abbb41260cb676f109551860433bcb405
- SSDEEP
  
  98304:XPky+agPtUpupDeOds+883iSh79bubjnvmu5/qv4eYb2Tqg9EeYImwqPY6Bvv8m:XPky9GtAcdsENbubzSJb9lyw
Score

10^/10

cryptolocker wannacry aspackv2 defense_evasion discovery execution impact persistence phishing ransomware spyware stealer worm
- CryptoLocker
  Ransomware family with multiple variants.
  ransomware cryptolocker
- Cryptolocker family
  cryptolocker
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Wannacry family
  wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- A potential corporate email address has been identified in the URL: [email protected]
  phishing
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Drops startup file
- Adds Run key to start application
  persistence
- Downloads MZ/PE file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1