wannacry

Resubmissions

22-02-2024 15:00

240222-sdrylsbh25 10

Sharing

Copy URL

Twitter E-mail

General

Target

File(2).rar
Size

92.9MB
Sample

240222-sdrylsbh25
MD5

06010f9b98fd06a76cc67bc3a804fa71
SHA1

fd6ad0bbc1afb79baf66deebdbfec8405030fc26
SHA256

5f72efa758d857722a10e5e90313fc236d3e60342a59cd9bb7f35779e91be461
SHA512

d5de0bea23fd553cb91106d4b81c504b2de5ba5cb6a22a7ffb3cb21b4a867f0801229c65f9c6712ede87d2257052399261a25e2c0a6546e9baed524cf695ba96
SSDEEP

1572864:Ts92ebrWvHwqG2JNiAkVU/JfwPh0ZDc5WQRVzh4j1voTg5AsvZfyRvubNmrsGxIp:T1N/wu7+U/6Ph84rIjWk5AsOubUFxydV

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Virus\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Targets

- Target
  
  Virus/000.exe
- Size
  
  6.7MB
- MD5
  
  d5671758956b39e048680b6a8275e96a
- SHA1
  
  33c341130bf9c93311001a6284692c86fec200ef
- SHA256
  
  4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47
- SHA512
  
  972e89ed8b7b4d75df0a05c53e71fb5c29edaa173d7289656676b9d2a1ed439be1687beddc6fb1fbf068868c3da9c3d2deb03b55e5ab5e7968858b5efc49fbe7
- SSDEEP
  
  3072:V3LA1++iCeFj0im6X/AXpT8vVMCcHVcdhghUuzzo9Y:lLJlC6j0CX4XmvWHVcd62uo9
Score

8^/10

evasion persistence ransomware
- Disables Task Manager via registry modification
  evasion
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies WinLogon
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1
- Target
  
  Virus/Bonzify.exe
- Size
  
  6.4MB
- MD5
  
  fba93d8d029e85e0cde3759b7903cee2
- SHA1
  
  525b1aa549188f4565c75ab69e51f927204ca384
- SHA256
  
  66f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764
- SHA512
  
  7c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2
- SSDEEP
  
  196608:adAMaWetTeAkLIdx751qFTkub//73lc6u7b5VJ2Yx5xIdk3:OaWedh+Idx75QYub//73lc6u7bLMYxD
Score

8^/10

discovery exploit persistence
- Modifies AppInit DLL entries
  persistence
- Modifies Installed Components in the registry
  persistence
- Possible privilege escalation attempt
  exploit
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral2
- Target
  
  Virus/MEMZ.bat
- Size
  
  12KB
- MD5
  
  13a43c26bb98449fd82d2a552877013a
- SHA1
  
  71eb7dc393ac1f204488e11f5c1eef56f1e746af
- SHA256
  
  5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513
- SHA512
  
  602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a
- SSDEEP
  
  384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF
Score

7^/10

bootkit persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral3
- Target
  
  Virus/MEMZ.exe
- Size
  
  12KB
- MD5
  
  a7bcf7ea8e9f3f36ebfb85b823e39d91
- SHA1
  
  761168201520c199dba68add3a607922d8d4a86e
- SHA256
  
  3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
- SHA512
  
  89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523
- SSDEEP
  
  192:HMDLTxWDf/pl3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL
Score

7^/10

bootkit persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral4
- Target
  
  Virus/NoEscape.exe
- Size
  
  666KB
- MD5
  
  989ae3d195203b323aa2b3adf04e9833
- SHA1
  
  31a45521bc672abcf64e50284ca5d4e6b3687dc8
- SHA256
  
  d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f
- SHA512
  
  e9d4e6295869f3a456c7ea2850c246d0c22afa65c2dd5161744ee5b3e29e44d9a2d758335f98001cdb348eaa51a71cd441b4ddc12c8d72509388657126e69305
- SSDEEP
  
  12288:85J5X487qJUtcWfkVJ6g5s/cD01oKHQyis2AePsr8nP712TB:s487pcZEgwcDpg1L2tbPR2t
Score

10^/10

evasion persistence ransomware trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Modifies WinLogon
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral5
- Target
  
  Virus/Petya.exe
- Size
  
  225KB
- MD5
  
  af2379cc4d607a45ac44d62135fb7015
- SHA1
  
  39b6d40906c7f7f080e6befa93324dddadcbd9fa
- SHA256
  
  26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
- SHA512
  
  69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99
- SSDEEP
  
  6144:DCyjXhd1mialK+qoNr8PxtZE6x5v+k6f:rjXhd8ZlKOrMZE6x5b6f
Score

6^/10

bootkit persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral6
- Target
  
  Virus/VineMEMZ-Original.exe
- Size
  
  39.6MB
- MD5
  
  c4a04acc0b0133787d58d91338b35556
- SHA1
  
  308d43a455d578e7305293ff01174ba39884a1f1
- SHA256
  
  e0e50205f43a14048bf22c8442fa55a0467b828529e78a4927a6b39a35c6a947
- SHA512
  
  2f81114158c1deaffb2a79462d1f8d32fad6ed8e4a6ad0a7d7aa243a6ef06e90c3f0b88325fb70f27f7d02cbdd1d6d6281b9373f0c813fb981757cfd3b7ef767
- SSDEEP
  
  786432:1QQ+DLvsiBiFOMCdQCKiK/yRtlO1kXxFkA0mRoe653PDlTmJ46qShdKG543yMF:GQcv6NKpbtllXxKLmee653PRqDrKG5u5
Score

8^/10

bootkit persistence ransomware
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral7
- Target
  
  Virus/WannaCry.EXE
- Size
  
  3.4MB
- MD5
  
  84c82835a5d21bbcf75a61706d8ab549
- SHA1
  
  5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
- SHA256
  
  ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
- SHA512
  
  90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
- SSDEEP
  
  98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral8
- Target
  
  Virus/WinXP.Horror.Destructive (Created By WobbyChip).exe
- Size
  
  57.9MB
- MD5
  
  063ea883f8c67d3bb22e0a465136ca4c
- SHA1
  
  3a168a9153ee32b86d9a5411b0af13846c55ee1d
- SHA256
  
  3b64ce283febf3207dd20c99fc53de65b07044231eb544c4c41de374a2571c5c
- SHA512
  
  2dd6be23a5af8c458b94eeb5a4e83fc8cacb3fd2c2566b5682eee286c01726dca90db3d9b4e218eeded9b0c9bce8ba3c9ca9cc497e3a57aab580633a038e4b74
- SSDEEP
  
  1572864:aj6L5PLk/mBCSyKOYl39GFoFEujFMm+B997DaNHN1oS72fnD9hRzZ01tO0DpvrvI:i6cSzV9GCFEujFMm+B997DaNHN1oS72X
Score

10^/10

bootkit evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral9