Overview

overview

10

Static

static

db79d6a667...50.exe

windows10-2004-x64

10

Resubmissions

19-11-2022 21:40

221119-1jgzlacd49 8

19-11-2022 13:48

221119-q4ed4adg34 10

19-11-2022 06:26

221119-g7aqmscg91 10

19-11-2022 05:30

221119-f67hjsbc8t 10

15-11-2022 20:50

221115-zm3j2abf6y 10

15-11-2022 20:50

221115-zmpm6sfh23 10

15-11-2022 20:49

221115-zl6kasfg98 10

15-11-2022 20:19

221115-y4ct9sff87 10

14-11-2022 19:39

221114-yc4tnsdb92 10

14-11-2022 19:34

221114-yakb9adb83 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50

  • Size

    206KB

  • Sample

    221119-q4ed4adg34

  • MD5

    3c6bdf4c6b61e2d4603eafad076aa092

  • SHA1

    4ac90d351b8b8a135331be1ae059ebb823347fe1

  • SHA256

    2a6299dfcbcf3186ded295395c7028d651ff178df40d587b531b6bc25f2e3d3f

  • SHA512

    ddaac427bfbf4b1236b1f3d10ab6437eb88d63ec1a44326275eba56d455362e910334931d31b389ef27b51b9e4dde7ab2496ed2ceb5cdff894a86f103351bb37

  • SSDEEP

    6144:uFr8GBofok1bHyX1heFZU1EwFXGHPEuL+ahZ:uLCfoOTyXGQbFMPEib

Score
10/10
smokeloaderwannacrybackdoorcollectiondiscoveryevasionpersistenceransomwarespywarestealertrojanworm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@Please_Read_Me@.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

    • Target

      db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50

    • Size

      307KB

    • MD5

      0abe50c1509136bf62d2184ab439e7a5

    • SHA1

      722a7e2a0dd66f506ba93d24946b8bf504b100c0

    • SHA256

      db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50

    • SHA512

      0c232d1eaf68c0099fb499fcd40bb33cd604f0259a71b853c296e00cc468342de95548ccf61d9e904cef5d34fd94defbb43f844e9f50a51517c7c95ab66862c5

    • SSDEEP

      6144:Gu0FGLnBOUaLPP7S9dW8dsgMF24raEn2E1a:Gu0wTBOU2Pj6EisgM/uUv

    Score
    10/10
    smokeloaderwannacrybackdoorcollectiondiscoveryevasionpersistenceransomwarespywarestealertrojanworm

    • Detects Smokeloader packer

    • Modifies system executable filetype association

      persistence

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • Registers COM server for autorun

      persistence

    • Sets DLL path for service in the registry

      persistence

    • Sets service image path in registry

      persistence

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

5
T1060

Modify Existing Service

1
T1031

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Modify Registry

8
T1112

File Deletion

1
T1107

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Install Root Certificate

1
T1130

Hidden Files and Directories

1
T1158

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

6
T1012

System Information Discovery

8
T1082

Security Software Discovery

1
T1063

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Service Stop

1
T1489

Tasks