General

  • Target

    HEUR-Trojan-PSW.MSIL.Anagra.gen-e64a182607d00395ebd9658681b3bb8f8d5a3436587a2bb5f50355b65a647bd8.exe

  • Size

    9.3MB

  • Sample

    220922-v91azafghl

  • MD5

    e75dff9d996dfb5819c678125f3ab581

  • SHA1

    4108c1c194bcc3643413b98073b67d2c57507435

  • SHA256

    e64a182607d00395ebd9658681b3bb8f8d5a3436587a2bb5f50355b65a647bd8

  • SHA512

    209a8c617d3c6bcd6d82cefb9d6c7ae4114bb157d181c17bf407d74e0f10d8a44b1a8c10ac71b2532282d49be8c5218527b0b16514f80c3cf1ff76ca23fdb767

  • SSDEEP

    98304:/eKh9jBA5gjbnI3OkLFxD5tKZDunjxynuzgqPoBhz1aRxcSUDk36SAEdhvxWa9PA:/XrjPqPe1Cxcxk3ZAEUadzR8yc4gvF

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@Please_Read_Me@.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@Please_Read_Me@.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

    • Target

      HEUR-Trojan-PSW.MSIL.Anagra.gen-e64a182607d00395ebd9658681b3bb8f8d5a3436587a2bb5f50355b65a647bd8.exe

    • Size

      9.3MB

    • MD5

      e75dff9d996dfb5819c678125f3ab581

    • SHA1

      4108c1c194bcc3643413b98073b67d2c57507435

    • SHA256

      e64a182607d00395ebd9658681b3bb8f8d5a3436587a2bb5f50355b65a647bd8

    • SHA512

      209a8c617d3c6bcd6d82cefb9d6c7ae4114bb157d181c17bf407d74e0f10d8a44b1a8c10ac71b2532282d49be8c5218527b0b16514f80c3cf1ff76ca23fdb767

    • SSDEEP

      98304:/eKh9jBA5gjbnI3OkLFxD5tKZDunjxynuzgqPoBhz1aRxcSUDk36SAEdhvxWa9PA:/XrjPqPe1Cxcxk3ZAEUadzR8yc4gvF

    • Modifies WinLogon for persistence

    • Modifies system executable filetype association

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Possible privilege escalation attempt

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

1
T1060

Bootkit

1
T1067

Hidden Files and Directories

1
T1158

Defense Evasion

Modify Registry

6
T1112

File Deletion

2
T1107

File Permissions Modification

1
T1222

Install Root Certificate

1
T1130

Hidden Files and Directories

1
T1158

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Tasks