General

  • Target

    HEUR-Trojan.Win32.Generic-52f418cf6a5177d34668b112a0eb6c3621d7f1fbc046caded45d3750513f539d.exe

  • Size

    6MB

  • Sample

    220925-vdzpkafdg9

  • MD5

    bcd24fea17ad5111304ae113f9940cb3

  • SHA1

    c37587eb2d08c7a597e91e7ab846d8ff9bd5e973

  • SHA256

    52f418cf6a5177d34668b112a0eb6c3621d7f1fbc046caded45d3750513f539d

  • SHA512

    3c3b6b67ef8f0fa8330a4211d12164698ba424c034e3bab8e391027abe8cde00df143ccd38301d4c9e53280bf52e431eba4907d2841e6d51357504d5566473d3

Malware Config

Extracted

Path

C:\Windows\Temp\@Please_Read_Me@.txt

Family

wannacry

Ransom Note Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Extracted

Path

C:\Windows\Temp\@Please_Read_Me@.txt

Family

wannacry

Ransom Note Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

    • Target

      HEUR-Trojan.Win32.Generic-52f418cf6a5177d34668b112a0eb6c3621d7f1fbc046caded45d3750513f539d.exe

    • Size

      6MB

    • MD5

      bcd24fea17ad5111304ae113f9940cb3

    • SHA1

      c37587eb2d08c7a597e91e7ab846d8ff9bd5e973

    • SHA256

      52f418cf6a5177d34668b112a0eb6c3621d7f1fbc046caded45d3750513f539d

    • SHA512

      3c3b6b67ef8f0fa8330a4211d12164698ba424c034e3bab8e391027abe8cde00df143ccd38301d4c9e53280bf52e431eba4907d2841e6d51357504d5566473d3

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Execution

      Exfiltration

        Initial Access

          Lateral Movement

            Privilege Escalation