Overview

overview

10

Static

static

10

2024-03-06...ry.exe

windows7-x64

10

2024-03-06...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    06-03-2024 18:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-06_e396682fa41f62fc399419848377f59f_destroyer_wannacry.exe

  • Size

    22KB

  • MD5

    e396682fa41f62fc399419848377f59f

  • SHA1

    69e6c685ea1312bc58148cfa4654d939c23d3d3d

  • SHA256

    345b8405ff606f8542ed48fc44c6da3a35df6afacf198698ea52e6e9642eac06

  • SHA512

    97184d7296f0c6d623fc1f4978fe71b7a05331f8230261a3ab21f5bf0a98bbd1920aaa68839570c6360d7b95079f66627f38ed381c5ddcfc7f4ba7a9d3cf9027

  • SSDEEP

    192:e1p2Dl10jI4fnw4S9KNPGwRFZKjhdcAhkYe//h9JsAa96cIKjwEYV83edpnHoCYE:U9f5pkwAhkcAa95BYljgmslC97C

Score
10/10
evasionpersistenceransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RESTORE_FILES-GHPZRGFC.txt

Ransom Note
--- What happened? --- All of your files are encrypted and stolen. Stolen data will be published soon on our tor website. There is no way to recover your data and prevent data leakage without us Decryption is not possible without private key. Don't waste your and our time to recover your files. It is impossible without our help --- How to recover files & prevent leakage? --- To make sure that we REALLY CAN recover your data - we offer FREE DECRYPTION for warranty. We promise that you can recover all your files safely and prevent data leakage. We can do it! --- Contact Us--- Download Tox chat from https://tox.chat/download.html Send us friend request to ID B1087CC15FFA75368DD104E9E37B6B9EC113DFFF4D03895CC6FD0640BA98296F6AA40E410BC4 OR Download Tor Browser - https://www.torproject.org/download/ and install it Open website: http://nfdxsippmdr5gxgt4slqpdljxoyeuugnwuil55xzdhl7kz2jiqbahpqd.onion Decryption ID: 1L4EMq6KwZpiPQ921MtA2gnhzPBVBkp4
URLs

https://tox.chat/download.html

http://nfdxsippmdr5gxgt4slqpdljxoyeuugnwuil55xzdhl7kz2jiqbahpqd.onion

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Detects command variations typically used by ransomware 1 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (200) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-06_e396682fa41f62fc399419848377f59f_destroyer_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-06_e396682fa41f62fc399419848377f59f_destroyer_wannacry.exe"
    1⤵
    • Adds Run key to start application
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2452
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1584
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2136
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2716
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1640
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:1516
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2444
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2036
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2944
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:2804

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RESTORE_FILES-GHPZRGFC.txt
        Filesize

        980B

        MD5

        2cc061522a1c23eb35a2e644aa744336

        SHA1

        d0b70834aa9dc9810281eec98c6eb973c3b2daf6

        SHA256

        b02fe11f5d394bb478e00e7c04b574fe4d59981dc26ab934d7b1dd314ac3fa74

        SHA512

        83184b07dffc9dc80ce397a0cc612741d1518d1947313db57a72059e31eb8687adc9c284b6d6ba521641c14e772e77402fe445169ebd01a5bdad851945325404

        Download Submit

      • memory/2660-0-0x00000000001F0000-0x00000000001FC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2660-1-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2660-2-0x000000001AD20000-0x000000001ADA0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2660-3-0x000000001AD20000-0x000000001ADA0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2660-443-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

        Filesize

        9.9MB

        Download