Overview

overview

10

Static

static

3

dl2.exe

windows7-x64

10

dl2.exe

windows10-2004-x64

10

Resubmissions

14-07-2024 08:16

240714-j6aelavgkf 3

28-03-2024 15:44

240328-s6f2tahh81 3

15-02-2024 03:14

240215-drq6xafb7s 6

05-02-2024 16:35

240205-t3whrsebaq 3

05-02-2024 16:32

240205-t17g9aeagl 3

08-12-2023 22:35

231208-2hv1haegb3 3

31-10-2023 16:20

231031-ttf2qaba4t 10

24-10-2023 18:54

231024-xkm1fsgg8z 10

20-09-2023 14:18

230920-rl8qnagg4s 10

23-08-2023 22:11

230823-139hyshd3w 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dl2.exe

  • Size

    849KB

  • Sample

    230920-rl8qnagg4s

  • MD5

    c2055b7fbaa041d9f68b9d5df9b45edd

  • SHA1

    e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06

  • SHA256

    342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3

  • SHA512

    18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc

  • SSDEEP

    12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2

Score
10/10
bazarbackdoorwannacrybackdoordiscoverypersistenceransomwareworm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

    • Target

      dl2.exe

    • Size

      849KB

    • MD5

      c2055b7fbaa041d9f68b9d5df9b45edd

    • SHA1

      e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06

    • SHA256

      342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3

    • SHA512

      18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc

    • SSDEEP

      12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2

    Score
    10/10
    bazarbackdoorwannacrybackdoordiscoverypersistenceransomwareworm

    • BazarBackdoor

      Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

      backdoorbazarbackdoor

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

      persistence

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks