General

  • Target

    MinecraftInstaller.exe

  • Size

    31MB

  • Sample

    231128-ab5gtadh5t

  • MD5

    24c96f96660bcedbf8648c8e43c3630c

  • SHA1

    127dbeec1e9a7b8db42704172ba9e9bae0269754

  • SHA256

    2b0e05e169643319074f306153e55f2d839adb0378d6e721c04198233b892bfa

  • SHA512

    ed01d726284b92f0c594db2b4644903109c1f7ec650b6572207d1f1d8fe26e97dd3d89df6296b625023f0c63148b5ae543db21573c60aa487c57414219e3916c

  • SSDEEP

    393216:Ubekuyo9nMK50UGRXLePuq2ZWy/c5zFviMKe2OHmwv9CsTmsueFFza9yt:vZn/G4Gqk1cWe2iTVCMue3T

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Targets

    • Target

      MinecraftInstaller.exe

    • Size

      31MB

    • MD5

      24c96f96660bcedbf8648c8e43c3630c

    • SHA1

      127dbeec1e9a7b8db42704172ba9e9bae0269754

    • SHA256

      2b0e05e169643319074f306153e55f2d839adb0378d6e721c04198233b892bfa

    • SHA512

      ed01d726284b92f0c594db2b4644903109c1f7ec650b6572207d1f1d8fe26e97dd3d89df6296b625023f0c63148b5ae543db21573c60aa487c57414219e3916c

    • SSDEEP

      393216:Ubekuyo9nMK50UGRXLePuq2ZWy/c5zFviMKe2OHmwv9CsTmsueFFza9yt:vZn/G4Gqk1cWe2iTVCMue3T

    • Modifies visibility of file extensions in Explorer

    • UAC bypass

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (67) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

6
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

6
T1082

Peripheral Device Discovery

2
T1120

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

1
T1490

Defacement

1
T1491

Tasks