General
-
Target
madk.exe
-
Size
3.4MB
-
Sample
220416-nrxnssebgm
-
MD5
d00af5991807952929e5b986afd295c9
-
SHA1
7f5cc8203f2e22bea24bf7f7b2995dc2ef3571ee
-
SHA256
025e8edef965f9376d6a0387c3f2952c19e727629920aeea544d963ee89b1594
-
SHA512
c032eec4bbb1a34113ea86606ae3b1c5d94a7f6f7d52d3347341312d4bf3af2dfa730d549b612a37353a21274eae8f10960ad105fc52c4955c33cccf5f0c1cd6
Static task
static1
Malware Config
Extracted
C:\Users\Admin\Desktop\@Please_Read_Me@.txt
wannacry
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Targets
-
-
Target
madk.exe
-
Size
3.4MB
-
MD5
d00af5991807952929e5b986afd295c9
-
SHA1
7f5cc8203f2e22bea24bf7f7b2995dc2ef3571ee
-
SHA256
025e8edef965f9376d6a0387c3f2952c19e727629920aeea544d963ee89b1594
-
SHA512
c032eec4bbb1a34113ea86606ae3b1c5d94a7f6f7d52d3347341312d4bf3af2dfa730d549b612a37353a21274eae8f10960ad105fc52c4955c33cccf5f0c1cd6
-
Modifies system executable filetype association
-
Registers COM server for autorun
-
Clears Windows event logs
-
XMRig Miner Payload
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Possible privilege escalation attempt
-
Sets file execution options in registry
-
Stops running service(s)
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Change Default File Association
1Registry Run Keys / Startup Folder
3Hidden Files and Directories
2Modify Existing Service
1Browser Extensions
1Defense Evasion
Modify Registry
8Indicator Removal on Host
1File Deletion
2Hidden Files and Directories
2Impair Defenses
1File Permissions Modification
1Install Root Certificate
1