General
-
Target
svchost.exe
-
Size
31KB
-
Sample
201010-p6tmerk4xx
-
MD5
49b8f905867aded45f1f5b3c9bd84209
-
SHA1
0a87788428778dba567623ccc9be6825eba4b7c7
-
SHA256
02883009e7e310bf670bff6336cb6c05c5ecfe0b40274a99b769e8fbfae19ad3
-
SHA512
1c9d2b7bb3948ad8f3cae541602575b9eacc2a212ab0a6e7c148a24a72e36986e4c46d646244837dc3ea7c71f3db90629f7ee68ef18565d67f93d1f801308361
Static task
static1
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win7
Behavioral task
behavioral2
Sample
svchost.exe
Resource
win10v200722
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\@Please_Read_Me@.txt
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Extracted
C:\Users\Admin\AppData\Local\Temp\@Please_Read_Me@.txt
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Targets
-
-
Target
svchost.exe
-
Size
31KB
-
MD5
49b8f905867aded45f1f5b3c9bd84209
-
SHA1
0a87788428778dba567623ccc9be6825eba4b7c7
-
SHA256
02883009e7e310bf670bff6336cb6c05c5ecfe0b40274a99b769e8fbfae19ad3
-
SHA512
1c9d2b7bb3948ad8f3cae541602575b9eacc2a212ab0a6e7c148a24a72e36986e4c46d646244837dc3ea7c71f3db90629f7ee68ef18565d67f93d1f801308361
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Drops startup file
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-