Overview

overview

10

Static

static

1

106445763c...34.exe

windows7-x64

10

106445763c...34.exe

windows10-2004-x64

Resubmissions

08-04-2024 13:45

240408-q2dpsaae25 10

21-11-2023 22:21

231121-196ewagh72 10

21-11-2023 22:20

231121-183ycshf5y 10

21-11-2023 22:06

231121-1z2c6sgh38 10

27-08-2023 18:38

230827-w98ssaee5z 10

01-06-2023 22:35

230601-2h4yeagg74 10

21-04-2023 17:56

230421-whz2kahb76 10

16-04-2023 14:28

230416-rtht7sad45 10

16-04-2023 14:28

230416-rs4qaaca91 1

16-04-2023 14:22

230416-rpvyzaad38 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34

  • Size

    1.2MB

  • Sample

    230225-sbtpesde44

  • MD5

    5b3b6822964b4151c6200ecd89722a86

  • SHA1

    ce7a11dae532b2ade1c96619bbdc8a8325582049

  • SHA256

    106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34

  • SHA512

    2f0d99af35c326cf46810c7421325deb55ae7ca36a8edc2716a3d32d9e6769e0d374581a98912e22fceeb6973e972463ed8b2fa4d4399043c443fa100dfd17b0

  • SSDEEP

    24576:5yY4YriuQJ5X4SuIcmuBLahxwUzN1YyqoVKucvTNLF9:sY4FuIahGxRMoobNLF

Score
10/10
redlinewannacryronurdiscoveryevasioninfostealerpersistenceransomwaretrojanworm

Malware Config

Extracted

Family

redline

Botnet

ronur

C2

193.233.20.20:4134

Attributes
  • auth_value

    f88f86755a528d4b25f6f3628c460965

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@Please_Read_Me@.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

    • Target

      106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34

    • Size

      1.2MB

    • MD5

      5b3b6822964b4151c6200ecd89722a86

    • SHA1

      ce7a11dae532b2ade1c96619bbdc8a8325582049

    • SHA256

      106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34

    • SHA512

      2f0d99af35c326cf46810c7421325deb55ae7ca36a8edc2716a3d32d9e6769e0d374581a98912e22fceeb6973e972463ed8b2fa4d4399043c443fa100dfd17b0

    • SSDEEP

      24576:5yY4YriuQJ5X4SuIcmuBLahxwUzN1YyqoVKucvTNLF9:sY4FuIahGxRMoobNLF

    Score
    10/10
    redlineronurevasioninfostealerpersistencetrojanwannacrydiscoveryransomwareworm

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Modify Registry

5
T1112

Disabling Security Tools

2
T1089

File Deletion

1
T1107

File Permissions Modification

1
T1222

Hidden Files and Directories

1
T1158

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

1
T1490

Defacement

1
T1491

Tasks