Overview

overview

10

Static

static

Petya.A.zip

windows7-x64

10

Petya.A.zip

windows10-2004-x64

8

Resubmissions

02-02-2023 03:06

230202-dlzwvsee69 10

02-02-2023 03:04

230202-dk4tesee62 1

02-02-2023 02:57

230202-df3qkaee33 6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Petya.A.zip

  • Size

    133KB

  • Sample

    230202-dlzwvsee69

  • MD5

    82e7fcb4516fe8aa646853a3dd996b52

  • SHA1

    548f18a1d50b0a0eb38a4a7d5e31212e423071c1

  • SHA256

    373c74b50f3db82289c7d04e2ae5b49af8a4f0f5aef2ebd62dd633dc16f76306

  • SHA512

    687560aaa21657bd00b0dafb0efc43cc23a3451f04c874bcdf1e369a4495bea92da0d8674efcb188857735e49127530aca8ae7b69f9d0c4d0580d3223bf98119

  • SSDEEP

    3072:pxTRgFloaoWrgdNHWkw1SBq25tdRRBXQmEZP6u3OP9HCmeDuqJkBgtBI38Etu8q5:HTRgFloQDuqJegtBI38EY8qiy1v+m//Z

Score
10/10
wannacrybootkitdiscoverypersistenceransomwareworm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@Please_Read_Me@.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Targets

    • Target

      Petya.A.zip

    • Size

      133KB

    • MD5

      82e7fcb4516fe8aa646853a3dd996b52

    • SHA1

      548f18a1d50b0a0eb38a4a7d5e31212e423071c1

    • SHA256

      373c74b50f3db82289c7d04e2ae5b49af8a4f0f5aef2ebd62dd633dc16f76306

    • SHA512

      687560aaa21657bd00b0dafb0efc43cc23a3451f04c874bcdf1e369a4495bea92da0d8674efcb188857735e49127530aca8ae7b69f9d0c4d0580d3223bf98119

    • SSDEEP

      3072:pxTRgFloaoWrgdNHWkw1SBq25tdRRBXQmEZP6u3OP9HCmeDuqJkBgtBI38Etu8q5:HTRgFloQDuqJegtBI38EY8qiy1v+m//Z

    Score
    10/10
    wannacrybootkitdiscoverypersistenceransomwareworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Discovery

        Execution

          Exfiltration

            Impact

            Initial Access

              Lateral Movement

                Persistence

                Privilege Escalation

                  Tasks