Resubmissions

04-02-2024 18:26

240204-w3e7wsgag8 1

04-02-2024 18:25

240204-w22z9sgaf5 1

04-02-2024 18:23

240204-w1yapagad2 1

04-02-2024 18:01

240204-wl3lvshger 1

04-02-2024 17:52

240204-wf3dxahfep 1

General

  • Target

    NoEscape.zip

  • Size

    129KB

  • Sample

    240204-wwdeqafhd9

  • MD5

    fefeb9d693fd102a27b7aae0ac6bc717

  • SHA1

    dd5baf49f75494ff88db206ed59ba7a10b606df1

  • SHA256

    cc22a90739363eccd777561c69fcbc18ec910aaeec2ef49f610479bf69fd9b4b

  • SHA512

    29838ab1dc0bc4006abe358e3cd1e3a5ebfa416e56015fbafc4b6e8ea24079cb6f976eaa5d4b8803d40878d00db80d491aa3b4b67992c28e2afc90dacab0ebc4

  • SSDEEP

    3072:pffpYcEMByrcuxpE0BOjS+rkaPfgIsknZ3E4hGlt6q8Qi+3nSky9WeZY/8ODuqJg:sDuqJMfWkvVSgE29xxspm0niivuz3il6

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

    • Target

      NoEscape.zip

    • Size

      129KB

    • MD5

      fefeb9d693fd102a27b7aae0ac6bc717

    • SHA1

      dd5baf49f75494ff88db206ed59ba7a10b606df1

    • SHA256

      cc22a90739363eccd777561c69fcbc18ec910aaeec2ef49f610479bf69fd9b4b

    • SHA512

      29838ab1dc0bc4006abe358e3cd1e3a5ebfa416e56015fbafc4b6e8ea24079cb6f976eaa5d4b8803d40878d00db80d491aa3b4b67992c28e2afc90dacab0ebc4

    • SSDEEP

      3072:pffpYcEMByrcuxpE0BOjS+rkaPfgIsknZ3E4hGlt6q8Qi+3nSky9WeZY/8ODuqJg:sDuqJMfWkvVSgE29xxspm0niivuz3il6

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Deletes NTFS Change Journal

      The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Clears Windows event logs

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Blocklisted process makes network request

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks