Overview

overview

10

Static

static

UDS-Virus....c6.exe

windows7-x64

10

UDS-Virus....c6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe

  • Size

    148KB

  • Sample

    220929-pwav9sahb3

  • MD5

    d197fad90535fb974db139537a091a5b

  • SHA1

    5529175952d3fa0697124260e46ec1dbd0c63ae7

  • SHA256

    a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6

  • SHA512

    1d43209ee1d950a433b08a05a23c69f88b376db3f52f29c84301d5235febda52a37c690abec96c2dfd63d4917b731b5544a548ce1490d9cf36aba9a031bac35d

  • SSDEEP

    3072:Gs6dE9I6+dZXlX1sZhuJHxleadYgJcuFsdazXflJv:GYpC16C6adXcFcz

Score
10/10
badrabbittroldeshwannacrybootkitdiscoveryevasionpersistenceransomwarethemidatrojanupxworm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Extracted

Language
hta
Source
URLs
hta.dropper

http://78.26.187.35/soft-usage/favicon.ico?0=1200&1=XZIOFAVD&2=i-s&3=61&4=9200&5=6&6=2&7=919041&8=1033

Targets

    • Target

      UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe

    • Size

      148KB

    • MD5

      d197fad90535fb974db139537a091a5b

    • SHA1

      5529175952d3fa0697124260e46ec1dbd0c63ae7

    • SHA256

      a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6

    • SHA512

      1d43209ee1d950a433b08a05a23c69f88b376db3f52f29c84301d5235febda52a37c690abec96c2dfd63d4917b731b5544a548ce1490d9cf36aba9a031bac35d

    • SSDEEP

      3072:Gs6dE9I6+dZXlX1sZhuJHxleadYgJcuFsdazXflJv:GYpC16C6adXcFcz

    Score
    10/10
    badrabbittroldeshwannacrybootkitdiscoveryevasionpersistenceransomwarethemidatrojanupxworm

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

      ransomwarebadrabbit

    • Modifies WinLogon for persistence

      persistence

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

      ransomwaretrojantroldesh

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

      evasion

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Enumerates VirtualBox registry keys

      evasion

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets file execution options in registry

      persistence

    • Stops running service(s)

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Bootkit

1
T1067

Hidden Files and Directories

1
T1158

Modify Existing Service

2
T1031

Registry Run Keys / Startup Folder

2
T1060

Scheduled Task

1
T1053

Winlogon Helper DLL

2
T1004

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

File Deletion

2
T1107

File and Directory Permissions Modification

1
T1222

Hidden Files and Directories

1
T1158

Impair Defenses

1
T1562

Install Root Certificate

1
T1130

Modify Registry

9
T1112

Virtualization/Sandbox Evasion

2
T1497

Web Service

1
T1102

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

6
T1012

Remote System Discovery

1
T1018

Software Discovery

1
T1518

System Information Discovery

4
T1082

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Service Stop

1
T1489

Tasks