wannacry

General

Target

ganttproject.log
Size

1KB
Sample

231124-phcspsbe7x
MD5

568509136a1703a4ccb8f174d6a03ff1
SHA1

62df611ea972b5e177996f6ee66aa40342169a63
SHA256

d1a04a6016487394e7008f34048dfe19bc858bea238ec652a3e5432663bb3b5d
SHA512

2d0ab1dac2573df856caba02373eb1f1926e3d017bdb906e04c7d2695b3ca08f72f5ba0c07a57f44ba62ab24fa5a499b626b63140b2e6df8635e65fea1f8af1a

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Targets

- Target
  
  ganttproject.log
- Size
  
  1KB
- MD5
  
  568509136a1703a4ccb8f174d6a03ff1
- SHA1
  
  62df611ea972b5e177996f6ee66aa40342169a63
- SHA256
  
  d1a04a6016487394e7008f34048dfe19bc858bea238ec652a3e5432663bb3b5d
- SHA512
  
  2d0ab1dac2573df856caba02373eb1f1926e3d017bdb906e04c7d2695b3ca08f72f5ba0c07a57f44ba62ab24fa5a499b626b63140b2e6df8635e65fea1f8af1a
Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm bootkit
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2