General

  • Target

    DeadCodeLauncher.exe

  • Size

    8MB

  • Sample

    231121-trkl5agc6y

  • MD5

    ac8388a792b0401fd6621e760f4c7794

  • SHA1

    47c13ebdb00cbb8e0ec71c5b0a6070accc2293c0

  • SHA256

    920841766c2da541592a0ae874c8528cdb6b3009b5f1873c4d19bacbb116ac40

  • SHA512

    51596efeefd0a877d35783a68d389c7e498e26684c2e4bc49045a4a2644c3f7b8561a7593e030a750b86b1dc1c1a038c2a17080ffb1510afa25a78304c51f321

  • SSDEEP

    196608:eewLDETe6rklPsowwaEAIrpOZOu83ifnZfBZQHwKP6pFbOpaC:92gxASg1h1Owu83iflBZSwKAFbO8C

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@Please_Read_Me@.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

    • Target

      DeadCodeLauncher.exe

    • Size

      8MB

    • MD5

      ac8388a792b0401fd6621e760f4c7794

    • SHA1

      47c13ebdb00cbb8e0ec71c5b0a6070accc2293c0

    • SHA256

      920841766c2da541592a0ae874c8528cdb6b3009b5f1873c4d19bacbb116ac40

    • SHA512

      51596efeefd0a877d35783a68d389c7e498e26684c2e4bc49045a4a2644c3f7b8561a7593e030a750b86b1dc1c1a038c2a17080ffb1510afa25a78304c51f321

    • SSDEEP

      196608:eewLDETe6rklPsowwaEAIrpOZOu83ifnZfBZQHwKP6pFbOpaC:92gxASg1h1Owu83iflBZSwKAFbO8C

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

File and Directory Permissions Modification

1
T1222

Modify Registry

4
T1112

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Impact

Defacement

1
T1491

Tasks