wannacry

General

Target

54629897266ae678b269e56f847f5e09
Size

5.0MB
Sample

220720-dflgaabbe3
MD5

54629897266ae678b269e56f847f5e09
SHA1

94ad6ac2eb3198d84e46da5159f67b2e09cb6042
SHA256

80af5e08895469ebfa7e5b1e6f4209dd01711c8e18774aa2630eb34fe9afdafd
SHA512

36d4519511988481f1bb7e1a5c3cf85cbbd295c6b86a03c8124cb1dc718d1477e099aeba7f9776d2295f2a4708799559e5d0fe916aabe8336c89e1a01c9cd6d0

Score

10^/10

Malware Config

Extracted

Path

C:\ProgramData\mdqayrxpggqcqkh105\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 1M9sgF4zhpusQA82rtTbrcZGKD5oBrSW5t Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

1M9sgF4zhpusQA82rtTbrcZGKD5oBrSW5t

Extracted

Path

C:\ProgramData\ggoxfcwi862\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15nzzRpAsbgd1mmoqQRtiXxN49f4LcmTh4 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

15nzzRpAsbgd1mmoqQRtiXxN49f4LcmTh4

Targets

- Target
  
  54629897266ae678b269e56f847f5e09
- Size
  
  5.0MB
- MD5
  
  54629897266ae678b269e56f847f5e09
- SHA1
  
  94ad6ac2eb3198d84e46da5159f67b2e09cb6042
- SHA256
  
  80af5e08895469ebfa7e5b1e6f4209dd01711c8e18774aa2630eb34fe9afdafd
- SHA512
  
  36d4519511988481f1bb7e1a5c3cf85cbbd295c6b86a03c8124cb1dc718d1477e099aeba7f9776d2295f2a4708799559e5d0fe916aabe8336c89e1a01c9cd6d0
Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Contacts a large (3024) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Contacts a large (1429) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2