Malware Analysis : Trojan:AutoIt/Ransom.F

This malware has free sample and analysis report in malware.lu. So I try to analysis this sample as practice.
When I am analyzing this  sample , it had detection rate 14/40 at VirusTotal
This malware come with icon as following image , which give us hint that this malware is compiled by AutoIt :

After this sample execution , it will connect to 95.163.104.88 which website was already removed.And this network activity can be cached by our tool. So we can observe that it connect to 95.163.104.88/spielberg/start.php.

Sometimes there is an pop-up windows during execution :

 We can also observe it change some file in following image:

This malware are packed by UPX.  We can easily unpacked it and get origin executable.

Then we use exe2aut to decompile the sample , and retrieve AutoIt scipt.

The most interesting part is at end of script , it install some registry to trigger itself after booting.But this behavior is not detect by our tool. Then it check if explore.exe and taskmgr.exe existed to ensure it's GUI in top of windows.

This sample can not run by both anubis and cwsanbox.