Overview

overview

10

Static

static

201f42080e...c9.exe

windows7_x64

10

201f42080e...c9.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.7z

  • Size

    184KB

  • Sample

    220404-plkygsabck

  • MD5

    bd790926a5860fecc9b3f016cbacb8b1

  • SHA1

    5fcd54c53e981f1ab362840dbb5ea1db7f704555

  • SHA256

    0f5e1ad4815e0d0e967c8e2e594cf495152911d4337bb8f5270ed590879722c4

  • SHA512

    8589fcc26caea3acfb0e9639a70a8cf7ba695cb83e794b9e0a66e9f58f8481152272369d54287914bee8fcf93cf5a3fb43f396541281cc461fe6800e8fce83bc

Score
10/10
wannacryransomwarespywarestealerworm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $200 worth of bitcoin to this bitcoin address: 1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) https://www.dropbox.com/s/c1gn29iy8erh1ks/m.rar?dl=1 rar password: wcry123 Run and follow the instructions! �
Wallets

1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY

Targets

    • Target

      201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe

    • Size

      232KB

    • MD5

      8dd63adb68ef053e044a5a2f46e0d2cd

    • SHA1

      1bc604573ceab106e5a0e9c419ade38739228707

    • SHA256

      201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9

    • SHA512

      c7c267b3be9f50783b394ae9ae960d5ff636c63a58c645764712fed28ce9be616344c2a248782da7f50ede465d3f1e8ec7267d62ebc5e86490ad472518ab1526

    Score
    10/10
    wannacryransomwarespywarestealerworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Tasks