General
-
Target
72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.zip
-
Size
143KB
-
Sample
230311-q2r76sbf6w
-
MD5
e94a370b9f0f0b736a0671be28ba173c
-
SHA1
b5a80c657654e50348410d8f10352b26ec0fa4df
-
SHA256
0b3e020b38d82713f98143e909cfdaf919b8aeedba30313614c8a6a08a9774ab
-
SHA512
29444e784f7a832224555e3bfa32d0642722693f82a1f1d35eff26eed904125fd9bd54a03a70914d8b0cd44d355fb91559bc75895f96eabc4e9609a67e1ad708
-
SSDEEP
3072:S5u/OvayrbCsCtrULWxk/DRBr+pOax7v+LES8nUGVN7yx0M2ETJ1/:SrvayrbCIWsNBElKunUGVJgZ2Er/
Static task
static1
Behavioral task
behavioral1
Sample
72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe
Resource
win7-20230220-en
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\kb4owxsr.y11\@[email protected]
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Targets
-
-
Target
72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe
-
Size
148KB
-
MD5
6ed3e3327246cc457d22bb92bd3bba8b
-
SHA1
1329a6af26f16bb371782ff404d526eec1af9d22
-
SHA256
72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503
-
SHA512
f6c5428adffc10294204e0b068510d91fced02bbe02158a21294ebd5baf249aff0264021cbf7b2b9b37533b1db4daa09113abaa84435f4aa7660849f9b9257f7
-
SSDEEP
3072:gqMedjZ064qkGda5bFxs0ZUfBpfF6Mq6qUbHlVexC6exvLsBB16UVsh8iSd:+A0rAda5bFxvYptdHl4xV+Efuh
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Modifies WinLogon for persistence
-
mimikatz is an open source tool to dump credentials on Windows
-
Contacts a large (1097) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies WinLogon
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
MITRE ATT&CK Enterprise v6
Persistence
Bootkit
1Hidden Files and Directories
1Modify Existing Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Winlogon Helper DLL
2Defense Evasion
File and Directory Permissions Modification
1Hidden Files and Directories
1Install Root Certificate
1Modify Registry
9Web Service
1