General

  • Target

    HEUR-Backdoor.Win32.Agent.gen-1334569f29339f990ca7a43d323666c6d1b27d7c5d884c287e254aa8b7345daf.exe

  • Size

    6MB

  • Sample

    220925-vdy32afdg3

  • MD5

    942b003ffc9738426d16af08281d1791

  • SHA1

    97f1e7c168261607f114a92ed0af31baf68b1599

  • SHA256

    1334569f29339f990ca7a43d323666c6d1b27d7c5d884c287e254aa8b7345daf

  • SHA512

    19d4b0708f55b266be1282eff9f37e493d2567e4470092b1f0ae479574d7e46b2a558cc9c113db2a883595360c038121abbdd3a28b3b3794fc146b83395a8f27

Malware Config

Extracted

Path

C:\Windows\Temp\@Please_Read_Me@.txt

Family

wannacry

Ransom Note Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Extracted

Path

C:\Windows\Temp\@Please_Read_Me@.txt

Family

wannacry

Ransom Note Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

    • Target

      HEUR-Backdoor.Win32.Agent.gen-1334569f29339f990ca7a43d323666c6d1b27d7c5d884c287e254aa8b7345daf.exe

    • Size

      6MB

    • MD5

      942b003ffc9738426d16af08281d1791

    • SHA1

      97f1e7c168261607f114a92ed0af31baf68b1599

    • SHA256

      1334569f29339f990ca7a43d323666c6d1b27d7c5d884c287e254aa8b7345daf

    • SHA512

      19d4b0708f55b266be1282eff9f37e493d2567e4470092b1f0ae479574d7e46b2a558cc9c113db2a883595360c038121abbdd3a28b3b3794fc146b83395a8f27

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Execution

      Exfiltration

        Impact

        Initial Access

          Lateral Movement

            Privilege Escalation