Overview

overview

10

Static

static

8

madk.exe

windows10_x64

10

Resubmissions

16-04-2022 11:38

220416-nrxnssebgm 10

16-04-2022 05:50

220416-gjmqasfeh5 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    madk.exe

  • Size

    3.4MB

  • Sample

    220416-nrxnssebgm

  • MD5

    d00af5991807952929e5b986afd295c9

  • SHA1

    7f5cc8203f2e22bea24bf7f7b2995dc2ef3571ee

  • SHA256

    025e8edef965f9376d6a0387c3f2952c19e727629920aeea544d963ee89b1594

  • SHA512

    c032eec4bbb1a34113ea86606ae3b1c5d94a7f6f7d52d3347341312d4bf3af2dfa730d549b612a37353a21274eae8f10960ad105fc52c4955c33cccf5f0c1cd6

Score
10/10
wannacryxmrigadwarediscoveryevasionexploitminerpersistenceransomwarespywarestealertrojanupxworm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@Please_Read_Me@.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Targets

    • Target

      madk.exe

    • Size

      3.4MB

    • MD5

      d00af5991807952929e5b986afd295c9

    • SHA1

      7f5cc8203f2e22bea24bf7f7b2995dc2ef3571ee

    • SHA256

      025e8edef965f9376d6a0387c3f2952c19e727629920aeea544d963ee89b1594

    • SHA512

      c032eec4bbb1a34113ea86606ae3b1c5d94a7f6f7d52d3347341312d4bf3af2dfa730d549b612a37353a21274eae8f10960ad105fc52c4955c33cccf5f0c1cd6

    Score
    10/10
    wannacryxmrigadwarediscoveryevasionexploitminerpersistenceransomwarespywarestealertrojanupxworm

    • Modifies system executable filetype association

      persistence

    • Registers COM server for autorun

      persistence

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Detected Stratum cryptominer command

      Looks to be attempting to contact Stratum mining pool.

      miner

    • XMRig Miner Payload

      miner

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Possible privilege escalation attempt

      exploit

    • Sets file execution options in registry

      persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Stops running service(s)

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

3
T1060

Hidden Files and Directories

2
T1158

Modify Existing Service

1
T1031

Browser Extensions

1
T1176

Privilege Escalation

Defense Evasion

Modify Registry

8
T1112

Indicator Removal on Host

1
T1070

File Deletion

2
T1107

Hidden Files and Directories

2
T1158

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

5
T1012

System Information Discovery

6
T1082

Peripheral Device Discovery

2
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Service Stop

1
T1489

Defacement

1
T1491

Tasks