wannacry | 483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6 | Triage

Submit
Reports

Overview

overview

Static

static

8

483c7fa66d...e6.exe

windows7_x64

483c7fa66d...e6.exe

windows10-2004_x64

Sharing

General

Target

483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6
Size

5.4MB
Sample

220714-ee5dfafba4
MD5

a755f76611af191caac97da04633b012
SHA1

ee2fba5a45e09e560c67f5107f76cf6e9a36ab53
SHA256

483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6
SHA512

b53fee6fb2b1013989e963b67f11924b8498e198b779fcfb49dc2154ca1a61c89f5abb32b91ed1052052a9c40f7ee1c2c58abf6ee1877b712d7b5899f2d97840

Score

10^/10

wannacry discovery evasion persistence ransomware upx worm

Static task

static1

Behavioral task

behavioral1

Sample

483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe

Resource

win7-20220414-en

wannacry discovery evasion persistence ransomware upx worm

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6.exe

Resource

win10v2004-20220414-en

wannacry discovery evasion persistence ransomware upx worm

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6
- Size
  
  5.4MB
- MD5
  
  a755f76611af191caac97da04633b012
- SHA1
  
  ee2fba5a45e09e560c67f5107f76cf6e9a36ab53
- SHA256
  
  483c7fa66d9cf56e48741b7c4516906c78d71a89ef64529266d607ff7e0544e6
- SHA512
  
  b53fee6fb2b1013989e963b67f11924b8498e198b779fcfb49dc2154ca1a61c89f5abb32b91ed1052052a9c40f7ee1c2c58abf6ee1877b712d7b5899f2d97840
Score

10^/10

wannacry discovery evasion persistence ransomware upx worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Stops running service(s)
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Modifies file permissions
  discovery
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Hidden Files and Directories

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Hidden Files and Directories

Impair Defenses

File Permissions Modification

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

Tasks

static1

behavioral1

wannacrydiscoveryevasionpersistenceransomwareupxworm

behavioral2

wannacrydiscoveryevasionpersistenceransomwareupxworm

© 2018-2024

Terms | Privacy