Overview

overview

10

Static

static

10

UMF.Installer.exe

windows11-21h2-x64

10

Resubmissions

20-02-2024 04:33

240220-e6v9vaba5w 10

20-02-2024 04:30

240220-e42c3sah9z 10

20-02-2024 04:20

240220-eyb61aag6y 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    UMF.Installer.exe

  • Size

    10.4MB

  • Sample

    240220-eyb61aag6y

  • MD5

    5a7ecc12107019e47294f27f4d40572c

  • SHA1

    01891d681fd8b6baa0599e335999d427e55179db

  • SHA256

    c81e2a3b15785a5fb548c5552be839fd92e2fc5423b372fba2f890ad488371b9

  • SHA512

    77da7350f3cc4358e07250ee9c6cbd035a9a27a934c019967942841cbf3d49839cb765dc6a22bc121e34ef1494b33050dc5752beff5e1938b82848b3190d4ad1

  • SSDEEP

    196608:DJ06wpSjt1RoahEDQH6TdBy5AY6TdVp/6TdvpPC:d0xpqloDQajPTpCppPC

Score
10/10
blackguardinfinitylockwannacrydiscoverypersistenceransomwarestealerworm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@Please_Read_Me@.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

    • Target

      UMF.Installer.exe

    • Size

      10.4MB

    • MD5

      5a7ecc12107019e47294f27f4d40572c

    • SHA1

      01891d681fd8b6baa0599e335999d427e55179db

    • SHA256

      c81e2a3b15785a5fb548c5552be839fd92e2fc5423b372fba2f890ad488371b9

    • SHA512

      77da7350f3cc4358e07250ee9c6cbd035a9a27a934c019967942841cbf3d49839cb765dc6a22bc121e34ef1494b33050dc5752beff5e1938b82848b3190d4ad1

    • SSDEEP

      196608:DJ06wpSjt1RoahEDQH6TdBy5AY6TdVp/6TdvpPC:d0xpqloDQajPTpCppPC

    Score
    10/10
    blackguardinfinitylockwannacrydiscoverypersistenceransomwarestealerworm

    • BlackGuard

      Infostealer first seen in Late 2021.

      stealerblackguard

    • InfinityLock Ransomware

      Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.

      ransomwareinfinitylock

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

File and Directory Permissions Modification

1
T1222

Modify Registry

3
T1112

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

1
T1490

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks