General

  • Target

    Delta.zip

  • Size

    478KB

  • Sample

    240222-wl38dsdd8x

  • MD5

    4854d9b4e51e85e83f997cefbd773a50

  • SHA1

    d5d96d1d2b91a4c8520cb6e8cff1e41653710b26

  • SHA256

    6487c010b06f1494e7a21abbd7f2dc8764033c3f2fcadefd44cbcc876624ea31

  • SHA512

    b4cbd00db46e87825b0869c2887acc1138a2d7ddcb3e75a4b200443d7b2da7dc67ebe700fc94f615b581a5fbca1de0c25b492235ce5138f4530d36635f3f5c2a

  • SSDEEP

    12288:VwB4hHOv4vkwRFU0Yz3jBL75xwc4XscIFl4zA6fzvBLP:+B1v8kEKjRdxwr81FlQxfDxP

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(2).zip\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

    • Target

      Delta.zip

    • Size

      478KB

    • MD5

      4854d9b4e51e85e83f997cefbd773a50

    • SHA1

      d5d96d1d2b91a4c8520cb6e8cff1e41653710b26

    • SHA256

      6487c010b06f1494e7a21abbd7f2dc8764033c3f2fcadefd44cbcc876624ea31

    • SHA512

      b4cbd00db46e87825b0869c2887acc1138a2d7ddcb3e75a4b200443d7b2da7dc67ebe700fc94f615b581a5fbca1de0c25b492235ce5138f4530d36635f3f5c2a

    • SSDEEP

      12288:VwB4hHOv4vkwRFU0Yz3jBL75xwc4XscIFl4zA6fzvBLP:+B1v8kEKjRdxwr81FlQxfDxP

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Sets desktop wallpaper using registry

    • Target

      Delta.exe

    • Size

      89KB

    • MD5

      dd98a43cb27efd5bcc29efb23fdd6ca5

    • SHA1

      38f621f3f0df5764938015b56ecfa54948dde8f5

    • SHA256

      1cf20b8449ea84c684822a5e8ab3672213072db8267061537d1ce4ec2c30c42a

    • SHA512

      871a2079892b1eb54cb761aebd500ac8da96489c3071c32a3dab00200f74f4e12b9ab6c62623c53aea5b8be3fc031fb1b3e628ffe15d73323d917083240742b0

    • SSDEEP

      1536:Ee7h7q/J6K3nHC+AGUob2f0DBFPbPWNPWp350NHcHkDsWqxcd2ZPSAv:Ee7oU8HC+AGUu2abPbPWQpO8E0A2tSAv

    Score
    1/10
    • Target

      DeltaInstaller.bat

    • Size

      541B

    • MD5

      51dfcd466dc358d53af79757929de943

    • SHA1

      dfd5ccb39b0d29597431885a1ce2b13ef28913b8

    • SHA256

      8e87eaa40d7e13010e91ba80605dc367f4af43b71adf9d9452d659828f867446

    • SHA512

      96f23a49bde8fb403523933ac457acb79eabca95d75e4e94e9b1358477dc230fa7450a1efcfbf066d5958a169a207c5593fcb68c641607b5ca908214c65d351b

    Score
    7/10
    • Drops startup file

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      config

    • Size

      190KB

    • MD5

      3d7ecf4d9562e1dfd1dbc39fdcb32cee

    • SHA1

      f117c00eff9177a7d21e366b11ac643885a061a7

    • SHA256

      7110c8b5190e84c66ca829d16d7e3b3cbd3a8e8d491bdc73b90e6a77b8b5053d

    • SHA512

      8d01f0c2965b2759243b84a4d1cfc766167e4ef6edc2062723bfe21b212b3da093275465e54f65ebcc8ca2b8a68cc0e0506a895884cf47dfa965131c0f2a9b25

    • SSDEEP

      3072:luQKS57zFN73+M8js5WYHaKrtobGut+rAJEj25RQ0DgdCXfN:lQgBk1LKZ+yrAFRvoWN

    Score
    1/10
    • Target

      lua51.dll

    • Size

      592KB

    • MD5

      3dff7448b43fcfb4dc65e0040b0ffb88

    • SHA1

      583cdab08519d99f49234965ffd07688ccf52c56

    • SHA256

      ff976f6e965e3793e278fa9bf5e80b9b226a0b3932b9da764bffc8e41e6cdb60

    • SHA512

      cdcbe0ec9ddd6b605161e3c30ce3de721f1333fce85985e88928086b1578435dc67373c3dc3492ed8eae0d63987cac633aa4099b205989dcbb91cbbfc8f6a394

    • SSDEEP

      12288:rs7/mj/73RaLHIW5BmUeUhoE4RgiF1q1bPIBKsg4Db0S:rc/u/7IoRnUKfq1Dl4DY

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks