Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7v200217 -
submitted
20-03-2020 09:02
General
-
Target
1831.bin.exe
-
Size
3.4MB
-
MD5
84c82835a5d21bbcf75a61706d8ab549
-
SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
-
SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\@[email protected]
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Next, please find an application file named "@[email protected]". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Signatures
-
Modifies service 2 TTPs 4 IoCs
-
Suspicious use of WriteProcessMemory 104 IoCs
-
Suspicious use of AdjustPrivilegeToken 51 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Detects application with GUI, possible interaction required
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Loads dropped DLL 39 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run entry to start application 2 TTPs 2 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Executes dropped EXE 16 IoCs
-
Drops startup file 2 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1831.bin.exe"C:\Users\Admin\AppData\Local\Temp\1831.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Drops startup file
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c 265561584698556.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ixuojaphjjt477" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ixuojaphjjt477" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f3⤵
- Adds Run entry to start application
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
16KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
64KB
-
Filesize
4KB
