wannacry

General

Target

archiveNew.7z
Size

3.4MB
Sample

230324-amzeyada61
MD5

26058186fb232824d0f390c05d5763fa
SHA1

79ae0f74766e848cb28a12b584a13890a23afa60
SHA256

5c5bd9b1245d498e15fd5497fee284153cecc8ed898288b074a16f1618d675b8
SHA512

00d439c02f0546c564b5dc82c428ba1e2a3fa2ad80c508965d6a9aa886ed53c8ce42c9948e60292d10afc19b04f07beda13c82adeb8e3834c2f4cd052b499b6d
SSDEEP

98304:w27dozlXLkFjISUdup6SAQHhNtW29hFfRlYcAJVc6r:wMdYLWjIrupZAQ42PrlYcSC8

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Documents\@Please_Read_Me@.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

- Target
  
  Endermanch@Petya.A.exe
- Size
  
  225KB
- MD5
  
  af2379cc4d607a45ac44d62135fb7015
- SHA1
  
  39b6d40906c7f7f080e6befa93324dddadcbd9fa
- SHA256
  
  26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
- SHA512
  
  69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99
- SSDEEP
  
  6144:DCyjXhd1mialK+qoNr8PxtZE6x5v+k6f:rjXhd8ZlKOrMZE6x5b6f
Score

6^/10

bootkit persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2
- Target
  
  Endermanch@WannaCrypt0r.exe
- Size
  
  3.4MB
- MD5
  
  84c82835a5d21bbcf75a61706d8ab549
- SHA1
  
  5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
- SHA256
  
  ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
- SHA512
  
  90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
- SSDEEP
  
  98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral3 behavioral4