General
-
Target
disney__valid_combos.txt
-
Size
18KB
-
Sample
220826-3qx1habbdk
-
MD5
f52af7653650c4abb52b3a83eda168b0
-
SHA1
ba3d5f7aef5a5e5aa456a994f3bfd8d5604a030e
-
SHA256
65f8627ffed18384566a5489b726d8725a7279e4b62bc3ad15afc28455b3327e
-
SHA512
d8f64d533fb2fc2ba4937d6db981c5adffd9ef13aee2241c1cdbfb2729c73ae9288c820cf5789c0c2fa57871b1369237a5bcb42f9bc36517ad227f8a7890c199
-
SSDEEP
384:XAWO6NBYbG2jtjDC91SPDJLTAAc2BQanwtROezuqApI:wWOvbjqSL10p2Pw7OePApI
Static task
static1
Behavioral task
behavioral1
Sample
disney__valid_combos.txt
Resource
win10v2004-20220812-en
Malware Config
Extracted
C:\Users\Admin\Desktop\@Please_Read_Me@.txt
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Targets
-
-
Target
disney__valid_combos.txt
-
Size
18KB
-
MD5
f52af7653650c4abb52b3a83eda168b0
-
SHA1
ba3d5f7aef5a5e5aa456a994f3bfd8d5604a030e
-
SHA256
65f8627ffed18384566a5489b726d8725a7279e4b62bc3ad15afc28455b3327e
-
SHA512
d8f64d533fb2fc2ba4937d6db981c5adffd9ef13aee2241c1cdbfb2729c73ae9288c820cf5789c0c2fa57871b1369237a5bcb42f9bc36517ad227f8a7890c199
-
SSDEEP
384:XAWO6NBYbG2jtjDC91SPDJLTAAc2BQanwtROezuqApI:wWOvbjqSL10p2Pw7OePApI
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Registers COM server for autorun
-
Uses Session Manager for persistence
Creates Session Manager registry key to run executable early in system boot.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
New Service
1Modify Existing Service
1Registry Run Keys / Startup Folder
3Scheduled Task
1Hidden Files and Directories
1Defense Evasion
Modify Registry
6File Permissions Modification
1Install Root Certificate
1Hidden Files and Directories
1