General
-
Target
https://bazaar.abuse.ch/download/be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844/
-
Sample
230608-satm2agc26
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://bazaar.abuse.ch/download/be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844/
Resource
win10v2004-20230220-en
Malware Config
Extracted
C:\Users\Admin\Downloads\be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Targets
-
-
Target
https://bazaar.abuse.ch/download/be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844/
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Disables use of System Restore points
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Sets desktop wallpaper using registry
-