Resubmissions

20-07-2023 23:03

230720-21x8ksba59 10

20-07-2023 23:02

230720-21c8eaba57 10

20-07-2023 23:01

230720-2zpvtabe9z 10

19-04-2023 13:09

230419-qdzbksce4z 10

23-03-2023 02:20

230323-csx56seh7w 10

11-03-2023 13:45

230311-q2r76sbf6w 10

General

  • Target

    72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.zip

  • Size

    143KB

  • Sample

    230311-q2r76sbf6w

  • MD5

    e94a370b9f0f0b736a0671be28ba173c

  • SHA1

    b5a80c657654e50348410d8f10352b26ec0fa4df

  • SHA256

    0b3e020b38d82713f98143e909cfdaf919b8aeedba30313614c8a6a08a9774ab

  • SHA512

    29444e784f7a832224555e3bfa32d0642722693f82a1f1d35eff26eed904125fd9bd54a03a70914d8b0cd44d355fb91559bc75895f96eabc4e9609a67e1ad708

  • SSDEEP

    3072:S5u/OvayrbCsCtrULWxk/DRBr+pOax7v+LES8nUGVN7yx0M2ETJ1/:SrvayrbCIWsNBElKunUGVJgZ2Er/

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\kb4owxsr.y11\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

    • Target

      72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe

    • Size

      148KB

    • MD5

      6ed3e3327246cc457d22bb92bd3bba8b

    • SHA1

      1329a6af26f16bb371782ff404d526eec1af9d22

    • SHA256

      72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503

    • SHA512

      f6c5428adffc10294204e0b068510d91fced02bbe02158a21294ebd5baf249aff0264021cbf7b2b9b37533b1db4daa09113abaa84435f4aa7660849f9b9257f7

    • SSDEEP

      3072:gqMedjZ064qkGda5bFxs0ZUfBpfF6Mq6qUbHlVexC6exvLsBB16UVsh8iSd:+A0rAda5bFxvYptdHl4xV+Efuh

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • Modifies WinLogon for persistence

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • mimikatz is an open source tool to dump credentials on Windows

    • Contacts a large (1097) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Modifies Windows Firewall

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Enterprise v6

Tasks