Malware sandboxing report by Hatching Triage

Target

Word.exe
Size

3MB
Sample

230210-x2eqeagd91
MD5

e8340564caba7a2635af2c79cb7103eb
SHA1

8c62c79508abe5ffa36608d1846dcb20b2a27137
SHA256

acd5f35bfcc91c197d8ea08afe588454233114500255ed842b0589dc194ec466
SHA512

b6dc6dfeff210222ee904ad9c8dc832e4bf9c27a84298d2817e320bd9308e6d647a5efcf6845a0ed2b0cebdb6539257cd07428bbdce3d5d5db23e8614503d9d2
SSDEEP

98304:/uWtmPx3xiobns6osz1gyQ4BL995Bt9JWpVi6q:/9m5hi0HBtQ4P95L9g3i6q

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@Please_Read_Me@.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Targets

- Target
  
  Word.exe
- Size
  
  3MB
- MD5
  
  e8340564caba7a2635af2c79cb7103eb
- SHA1
  
  8c62c79508abe5ffa36608d1846dcb20b2a27137
- SHA256
  
  acd5f35bfcc91c197d8ea08afe588454233114500255ed842b0589dc194ec466
- SHA512
  
  b6dc6dfeff210222ee904ad9c8dc832e4bf9c27a84298d2817e320bd9308e6d647a5efcf6845a0ed2b0cebdb6539257cd07428bbdce3d5d5db23e8614503d9d2
- SSDEEP
  
  98304:/uWtmPx3xiobns6osz1gyQ4BL995Bt9JWpVi6q:/9m5hi0HBtQ4P95L9g3i6q
Score

10^/10

wannacry bootkit discovery persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1

MITRE ATT&CK Matrix

Collection

Data from Local System

T1005

Command and Control

Credential Access

Credentials in Files

T1081

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Hidden Files and Directories

T1158

File Permissions Modification

T1222

Discovery

Query Registry

T1012

System Information Discovery

T1082

Execution

Exfiltration

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Tasks

static1

Score

1^/10

behavioral1

wannacrybootkitdiscoverypersistenceransomwarespywarestealerworm

Score

10^/10

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Wannacry

Deletes shadow copies

Modifies extensions of user files

Drops startup file

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Sets desktop wallpaper using registry

MITRE ATT&CK Matrix

Tasks

static1

behavioral1