General

  • Target

    UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe

  • Size

    148KB

  • Sample

    220929-pwav9sahb3

  • MD5

    d197fad90535fb974db139537a091a5b

  • SHA1

    5529175952d3fa0697124260e46ec1dbd0c63ae7

  • SHA256

    a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6

  • SHA512

    1d43209ee1d950a433b08a05a23c69f88b376db3f52f29c84301d5235febda52a37c690abec96c2dfd63d4917b731b5544a548ce1490d9cf36aba9a031bac35d

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@Please_Read_Me@.txt

Family

wannacry

Ransom Note Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Extracted

Language hta
Source
URLs
hta.dropper

http://78.26.187.35/soft-usage/favicon.ico?0=1200&1=XZIOFAVD&2=i-s&3=61&4=9200&5=6&6=2&7=919041&8=1033

Targets

    • Target

      UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe

    • Size

      148KB

    • MD5

      d197fad90535fb974db139537a091a5b

    • SHA1

      5529175952d3fa0697124260e46ec1dbd0c63ae7

    • SHA256

      a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6

    • SHA512

      1d43209ee1d950a433b08a05a23c69f88b376db3f52f29c84301d5235febda52a37c690abec96c2dfd63d4917b731b5544a548ce1490d9cf36aba9a031bac35d

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Modifies WinLogon for persistence

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Enumerates VirtualBox registry keys

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets file execution options in registry

    • Stops running service(s)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Modifies file permissions

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger