General

  • Target

    https://download167.uploadhaven.com/1/application/zip/ffTnvakKsJUEjcR7egiq6cHOrexWrwtgULNzuHHS.zip?key=FvwMe0No690wZDZVA3nvfw&expire=1697770184&filename=Skull.Island.Rise.of.Kong.zip

  • Sample

    231019-dc5ezsdc5t

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Extracted

Path

C:\PerfLogs\DECRYPT_YOUR_FILES.HTML

Ransom Note
<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>W5dm7ZmzDUttxI1vDCqM4FGtAux9qpoxR5nFeD29l/6SnGHiJDHyF/HkkcrTzv4qBfN96y97FQOq+pH0hvn/NOXyfzRNH9EGxb6twwMZTEJSbWVYu2l5rWxv9zEGgEzATOUvDIlnBdmfnJB/OPQi0bojAwBuxL+L12LPegYByyAe74O3ncihef3aGcM/vjhx1jAseXBYhFOmvdvCzWsIXS2LzZYgatRXcVDepGYZDDVk7tMSd12C9WH48Nm4T/uhVbYB4CxmL4H8PqepwPfUEjn8eZogsun/afu3bD5VVtvfZKrvyBC8mrwjIoPt7YZUGwXOfjRRGGGrthFtkg1Syg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Targets

    • Target

      https://download167.uploadhaven.com/1/application/zip/ffTnvakKsJUEjcR7egiq6cHOrexWrwtgULNzuHHS.zip?key=FvwMe0No690wZDZVA3nvfw&expire=1697770184&filename=Skull.Island.Rise.of.Kong.zip

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Fantom

      Ransomware which hides encryption process behind fake Windows Update screen.

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Renames multiple (5379) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Blocklisted process makes network request

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Registers COM server for autorun

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks