General

  • Target

    HEUR-Trojan-PSW.MSIL.Anagra.gen-e64a182607d00395ebd9658681b3bb8f8d5a3436587a2bb5f50355b65a647bd8.exe

  • Size

    9MB

  • Sample

    220922-v91azafghl

  • MD5

    e75dff9d996dfb5819c678125f3ab581

  • SHA1

    4108c1c194bcc3643413b98073b67d2c57507435

  • SHA256

    e64a182607d00395ebd9658681b3bb8f8d5a3436587a2bb5f50355b65a647bd8

  • SHA512

    209a8c617d3c6bcd6d82cefb9d6c7ae4114bb157d181c17bf407d74e0f10d8a44b1a8c10ac71b2532282d49be8c5218527b0b16514f80c3cf1ff76ca23fdb767

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@Please_Read_Me@.txt

Family

wannacry

Ransom Note Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@Please_Read_Me@.txt

Family

wannacry

Ransom Note Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

    • Target

      HEUR-Trojan-PSW.MSIL.Anagra.gen-e64a182607d00395ebd9658681b3bb8f8d5a3436587a2bb5f50355b65a647bd8.exe

    • Size

      9MB

    • MD5

      e75dff9d996dfb5819c678125f3ab581

    • SHA1

      4108c1c194bcc3643413b98073b67d2c57507435

    • SHA256

      e64a182607d00395ebd9658681b3bb8f8d5a3436587a2bb5f50355b65a647bd8

    • SHA512

      209a8c617d3c6bcd6d82cefb9d6c7ae4114bb157d181c17bf407d74e0f10d8a44b1a8c10ac71b2532282d49be8c5218527b0b16514f80c3cf1ff76ca23fdb767

    • Modifies WinLogon for persistence

    • Modifies system executable filetype association

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Possible privilege escalation attempt

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Sets desktop wallpaper using registry