Resubmissions

13-02-2024 12:11

240213-pcwzdshd2w 10

13-02-2024 12:08

240213-pa6qtahc7y 10

18-12-2023 08:13

231218-j4g2nabaf5 10

05-12-2023 08:54

231205-kt32taae27 10

05-12-2023 07:41

231205-jjdthahh6w 10

05-12-2023 07:38

231205-jgmcvshh5x 10

26-11-2023 09:39

231126-lmxf5agd87 10

26-11-2023 09:38

231126-ll8g1agd85 10

25-11-2023 18:47

231125-xe98ssca65 10

General

  • Target

    82e34351115b01948c0ed5ba16337e6ddd3f519a0b6f681061fd5f50f95fda46.zip

  • Size

    18MB

  • Sample

    231205-kt32taae27

  • MD5

    50a69641fb73dc6549a2e17264957498

  • SHA1

    ff7be443900880939f13c60574239f287e15a9d7

  • SHA256

    1d3c2088b2d712f8006279db8acb9a1c6dc3037886a655d37bf75ea5fa6b9518

  • SHA512

    554ee59adc664c0e25b77302bcd5a92727cf11cbcb216f08ae1cbaca9372a5e26c9579036ca079b64c059f1899be150548d9a18f179f0ee31b8d7e391e873715

  • SSDEEP

    393216:t58rCjhNeSpNWYVYU2oY+NAxLGPi1XNLTcNRVciCS4XYLZ28:t5YCDlZY0vqLGGvcAXYLQ8

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Malware-database-main\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Targets

    • Target

      Malware-database-main/000.exe

    • Size

      6MB

    • MD5

      f2b7074e1543720a9a98fda660e02688

    • SHA1

      1029492c1a12789d8af78d54adcb921e24b9e5ca

    • SHA256

      4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

    • SHA512

      73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

    • SSDEEP

      3072:eaLA1++iCeFj0im6X/AXpT8vVMCcHVcdhghUuz1o9Y:fLJlC6j0CX4XmvWHVcd62uO9

    • Disables Task Manager via registry modification

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

    • Sets desktop wallpaper using registry

    • Target

      Malware-database-main/ChilledWindows.exe

    • Size

      4MB

    • MD5

      6a4853cd0584dc90067e15afb43c4962

    • SHA1

      ae59bbb123e98dc8379d08887f83d7e52b1b47fc

    • SHA256

      ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec

    • SHA512

      feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996

    • SSDEEP

      98304:XyDt6K4MJVnjOobt/JN1LA5elHc+S4fRp5UvluKo:XyDtK8bbxn+IHcBEV/F

    Score
    6/10
    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      Malware-database-main/Christmas.exe

    • Size

      482KB

    • MD5

      c35aa97962c4132ef87768d6e7e4faea

    • SHA1

      bb696ec7709f94067bc0cea5d53432f7f60667e3

    • SHA256

      cb7c01aa6b8d1f7fa7131d6444a220cedf0c51102c127a13a4313e4249b1f88e

    • SHA512

      21d838c035b958f1e92aef0c6591d9631215f088bd96653a9d15b4293fdaab2d1b404c0f0e38f14eba3d69099dc07fc5191caa89f49aba956674e7f9b461450c

    • SSDEEP

      6144:s68WiSoFDCIIH9rTmoSoaTxxsVW9rmdA1h3UeJsFtusIP3q7bNB+Xrge138ahLWk:CWiSoF2dN0KcPJsJ0ObNB+rKaVW+Is9

    Score
    1/10
    • Target

      Malware-database-main/CookieClickerHack.exe

    • Size

      68KB

    • MD5

      bc1e7d033a999c4fd006109c24599f4d

    • SHA1

      b927f0fc4a4232a023312198b33272e1a6d79cec

    • SHA256

      13adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401

    • SHA512

      f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276

    • SSDEEP

      768:bhU+D/no2u+6JaAcNRFJ67Pn975JqiG6BwUqdVBF+G2JOnCC6G2JOtCCm:bhjDIrU0h5Jqi7qzb2ICCb26CCm

    Score
    1/10
    • Target

      Malware-database-main/Electron V2.exe

    • Size

      39KB

    • MD5

      b1228ba24ca5f75f8df9d5d177e5bb2b

    • SHA1

      1895758de51ccfefa40239aa11055540c8c5deb7

    • SHA256

      04b106b179c202c67361aa4debad5d82f79a1927ab0ab8abc2ef350d18894b08

    • SHA512

      7abc1df0089a1a00aadc11c33eecffb5d85258acc4eac0b261ceaea77e814eaf671506383fe0074fd5779b8bc58e0f48f0d15309aa81aecf27ecc6633da4c5a4

    • SSDEEP

      768:hqo2khp1DlNjwQr9KWO4TOpkx7u/LraCvpbMC2mkek:ko2kFpNjwQr9KWODkx74L2CNf5k

    • Chaos

      Ransomware family first seen in June 2021.

    • Chaos Ransomware

    • Modifies boot configuration data using bcdedit

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Target

      Malware-database-main/Flasher.exe

    • Size

      246KB

    • MD5

      9254ca1da9ff8ad492ca5fa06ca181c6

    • SHA1

      70fa62e6232eae52467d29cf1c1dacb8a7aeab90

    • SHA256

      30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6

    • SHA512

      a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

    • SSDEEP

      6144:/85Z+Y97t0Kc0Nd5bHzvvj/R87Z3BxonZ:/8vd2KxNPjs3gZ

    Score
    1/10
    • Target

      Malware-database-main/MEMZ Trojan.exe

    • Size

      12KB

    • MD5

      9c642c5b111ee85a6bccffc7af896a51

    • SHA1

      eca8571b994fd40e2018f48c214fab6472a98bab

    • SHA256

      4bbf7589615ebdb6c769d6d2e7bdcb26072bac0cda6e225a4133ba8819e688d5

    • SHA512

      23cc74b5a7bdf70ba789d1730a0009414cfb9c780544e3d8d841be58782b9a9a089969c4295a0da25d07285505992386486d6ff0524e75605b96bb99cd3aaa1c

    • SSDEEP

      192:BCMfc/GinpRBueYDw4+kEeN4FRrfMFFp3+f2dvGhT59uay:AMfceinpOeRENYhfOj+eGdKa

    Score
    1/10
    • Target

      Malware-database-main/Popup.exe

    • Size

      373KB

    • MD5

      9c3e9e30d51489a891513e8a14d931e4

    • SHA1

      4e5a5898389eef8f464dee04a74f3b5c217b7176

    • SHA256

      f8f7b5f20ca57c61df6dc8ff49f2f5f90276a378ec17397249fdc099a6e1dcd8

    • SHA512

      bf45677b7dd6c67ad350ec6ecad5bc3f04dea179fae0ff0a695c69f7de919476dd7a69c25b04c8530a35119e4933f4a8c327ed6dcef892b1114dfd7e494a19a7

    • SSDEEP

      6144:yN6MLNACl/+9EhE/jIxlOaNpA7tRzXBWRiB6nlbKsgP5o24a4pF0ghqbjY:Kh29IEUxhiHWRIglbKsgRokTghf

    Score
    1/10
    • Target

      Malware-database-main/PowerPoint.exe

    • Size

      136KB

    • MD5

      70108103a53123201ceb2e921fcfe83c

    • SHA1

      c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

    • SHA256

      9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

    • SHA512

      996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

    • SSDEEP

      1536:3VrdxBvcGdDHHtWv8udA1JYREgJ/qEOpsChnU4V1lyqHv4vAmOG9HSDKRppppp5B:1H5D0dSgo7ppTV1lyqPOAmOG9HSOD

    Score
    7/10
    • Deletes itself

    • Executes dropped EXE

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      Malware-database-main/RedEye.exe

    • Size

      10MB

    • MD5

      e9e5596b42f209cc058b55edc2737a80

    • SHA1

      f30232697b3f54e58af08421da697262c99ec48b

    • SHA256

      9ac9f207060c28972ede6284137698ce0769e3695c7ad98ab320605d23362305

    • SHA512

      e542319beb6f81b493ad80985b5f9c759752887dc3940b77520a3569cd5827de2fcae4c2357b7f9794b382192d4c0b125746df5cf08f206d07b2b473b238d0c7

    • SSDEEP

      196608:+ahZ5qN3wvdJBiAv1hXx7jeeDt9/wGoyIu+sTvDmQONhL/LslAVyq8rZyA+TXtT4:+w6NAvPAA/Xx3eeDtTD+GDONhL/AlAV8

    • Modifies Windows Defender Real-time Protection settings

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Disables use of System Restore points

    • Modifies Windows Firewall

    • Sets file execution options in registry

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Sets desktop wallpaper using registry

    • Target

      Malware-database-main/WannaCry.exe

    • Size

      224KB

    • MD5

      5c7fb0927db37372da25f270708103a2

    • SHA1

      120ed9279d85cbfa56e5b7779ffa7162074f7a29

    • SHA256

      be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

    • SHA512

      a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

    • SSDEEP

      3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Sets desktop wallpaper using registry

    • Target

      Malware-database-main/butterflyondesktop.exe

    • Size

      2MB

    • MD5

      1535aa21451192109b86be9bcc7c4345

    • SHA1

      1af211c686c4d4bf0239ed6620358a19691cf88c

    • SHA256

      4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

    • SHA512

      1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

    • SSDEEP

      49152:5aA7f7tlVmdqK23H2bpHI4Qs5ABV9WRHZRsgI82lcHGAaKLinXBgJ:Q+VMkX224QsWBq5SfARGRgJ

    Score
    7/10
    • Executes dropped EXE

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Persistence

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Winlogon Helper DLL

1
T1547.004

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

11
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

8
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

2
T1005

Impact

Defacement

4
T1491

Inhibit System Recovery

5
T1490

Tasks