General
-
Target
NoEscape.zip
-
Size
129KB
-
Sample
240204-wwdeqafhd9
-
MD5
fefeb9d693fd102a27b7aae0ac6bc717
-
SHA1
dd5baf49f75494ff88db206ed59ba7a10b606df1
-
SHA256
cc22a90739363eccd777561c69fcbc18ec910aaeec2ef49f610479bf69fd9b4b
-
SHA512
29838ab1dc0bc4006abe358e3cd1e3a5ebfa416e56015fbafc4b6e8ea24079cb6f976eaa5d4b8803d40878d00db80d491aa3b4b67992c28e2afc90dacab0ebc4
-
SSDEEP
3072:pffpYcEMByrcuxpE0BOjS+rkaPfgIsknZ3E4hGlt6q8Qi+3nSky9WeZY/8ODuqJg:sDuqJMfWkvVSgE29xxspm0niivuz3il6
Static task
static1
Behavioral task
behavioral1
Sample
NoEscape.zip
Resource
win11-20231215-en
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Targets
-
-
Target
NoEscape.zip
-
Size
129KB
-
MD5
fefeb9d693fd102a27b7aae0ac6bc717
-
SHA1
dd5baf49f75494ff88db206ed59ba7a10b606df1
-
SHA256
cc22a90739363eccd777561c69fcbc18ec910aaeec2ef49f610479bf69fd9b4b
-
SHA512
29838ab1dc0bc4006abe358e3cd1e3a5ebfa416e56015fbafc4b6e8ea24079cb6f976eaa5d4b8803d40878d00db80d491aa3b4b67992c28e2afc90dacab0ebc4
-
SSDEEP
3072:pffpYcEMByrcuxpE0BOjS+rkaPfgIsknZ3E4hGlt6q8Qi+3nSky9WeZY/8ODuqJg:sDuqJMfWkvVSgE29xxspm0niivuz3il6
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Deletes NTFS Change Journal
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Clears Windows event logs
-
Blocklisted process makes network request
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2File Deletion
1Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1