Resubmissions

29-10-2023 10:55

231029-m1l3zsfe3s 10

General

  • Target

    CreamInstaller.exe

  • Size

    142.2MB

  • Sample

    231029-m1l3zsfe3s

  • MD5

    bd07665ce7ec2bf0b9322ac6bfef35f9

  • SHA1

    bb7869551f858ac74593311d0cffc9679cf7bb0b

  • SHA256

    270d4c63b45b0a88bc89dbd1e6dc8b7cb7d5c88f26496e1e9d241d810443272e

  • SHA512

    c0c169a63ca409a341378a20c8e705b56ddacd216be793a7a5b1377a71917bd59030b6a36db698585bfd004d465e916f6107e3df80634b977e08198daf34e92b

  • SSDEEP

    3145728:GdlIzndV8rA56Brg0Mln+4C3RLBnrB3Yo2gXD1PK1dNHDuH+h+6qy+Ewa7UMHEuf:kadVaGAril+4K9BhYo2gz1PK5D86qyVn

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

    • Target

      CreamInstaller.exe

    • Size

      142.2MB

    • MD5

      bd07665ce7ec2bf0b9322ac6bfef35f9

    • SHA1

      bb7869551f858ac74593311d0cffc9679cf7bb0b

    • SHA256

      270d4c63b45b0a88bc89dbd1e6dc8b7cb7d5c88f26496e1e9d241d810443272e

    • SHA512

      c0c169a63ca409a341378a20c8e705b56ddacd216be793a7a5b1377a71917bd59030b6a36db698585bfd004d465e916f6107e3df80634b977e08198daf34e92b

    • SSDEEP

      3145728:GdlIzndV8rA56Brg0Mln+4C3RLBnrB3Yo2gXD1PK1dNHDuH+h+6qy+Ewa7UMHEuf:kadVaGAril+4K9BhYo2gz1PK5D86qyVn

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Modifies WinLogon for persistence

    • UAC bypass

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Disables RegEdit via registry modification

    • Downloads MZ/PE file

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks