General

  • Target

    La Tecla Windows.pdf

  • Size

    49KB

  • Sample

    231123-ke2kfagf96

  • MD5

    6e5234a3e794e14e54332b7ac46cd9e2

  • SHA1

    d04a763e68a8851c871adb785b15b285fb9508a0

  • SHA256

    41b1208778c3aa39c8eba705a11df56b0f5a14d993e2dc815995cf4401d5d193

  • SHA512

    12dc74112a5b9a4bd36191f58b34cddeb0927fbe6f625d6b0ac8299e270de42e9c341c42a46084e469ea023bcadc624d62cb957fca23548ce8868912a1cf53d4

  • SSDEEP

    1536:IAAuMEIpTwOAfMzH94cL8H5Gxd2GD6lOlvuZZtj+:NAfNKCX8ZGeuuZi

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@Please_Read_Me@.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

    • Target

      La Tecla Windows.pdf

    • Size

      49KB

    • MD5

      6e5234a3e794e14e54332b7ac46cd9e2

    • SHA1

      d04a763e68a8851c871adb785b15b285fb9508a0

    • SHA256

      41b1208778c3aa39c8eba705a11df56b0f5a14d993e2dc815995cf4401d5d193

    • SHA512

      12dc74112a5b9a4bd36191f58b34cddeb0927fbe6f625d6b0ac8299e270de42e9c341c42a46084e469ea023bcadc624d62cb957fca23548ce8868912a1cf53d4

    • SSDEEP

      1536:IAAuMEIpTwOAfMzH94cL8H5Gxd2GD6lOlvuZZtj+:NAfNKCX8ZGeuuZi

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

File and Directory Permissions Modification

1
T1222

Modify Registry

3
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

1
T1490

Defacement

1
T1491

Tasks