General
-
Target
Ransomware.WannaCrypt0r.v2.zip
-
Size
3.3MB
-
Sample
231005-nmqdxscd96
-
MD5
e8378f1d77e68ba6fea9af95be411c1e
-
SHA1
dd728dcf1e346ee9ad749bf82bbedf03d19d3676
-
SHA256
5649b54f0b7cd32a47484c44c210ad2e46a00f1a8c72d71abf2c0ad53710ff84
-
SHA512
6364eccf7318bb950408a8bd783055762724ac1cdbbc8f801a98093a08aa12283d3d0a874d842fc40625e21716bffc23bd22f700e5aed4ae15f66c95d5fad8fc
-
SSDEEP
49152:e1TrJ5Yo9T9lHHk684j4vmB9wpWHXi6qwlXAs1Us6GJccRa2sE1688+LYqhSfs2U:eJJem868G6p2y6TwsesRJccYo6YhFJ7
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Targets
-
-
Target
Ransomware.WannaCrypt0r.v2.exe
-
Size
3.4MB
-
MD5
84c82835a5d21bbcf75a61706d8ab549
-
SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
-
SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
SSDEEP
98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2File Deletion
2Modify Registry
3