Resubmissions

15-09-2024 23:12

240915-27aqvsxhjq 8

15-09-2024 23:02

240915-21efgaxake 8

15-09-2024 22:58

240915-2xypyaxdkj 3

15-09-2024 22:56

240915-2wn44sxcpk 3

15-09-2024 22:43

240915-2np2fawhpr 3

15-09-2024 22:42

240915-2m3k5swhmk 10

15-09-2024 22:33

240915-2gqdmawbja 8

15-09-2024 22:27

240915-2de4gswekk 7

15-09-2024 22:15

240915-16esravenh 10

General

  • Target

    eeeeeeeeeeeeee.zip

  • Size

    82.4MB

  • Sample

    240311-blpd1sgf9v

  • MD5

    bf78359f6f126b4216ace9edf63f1b39

  • SHA1

    d59846e938348f7a3c48b6cc304545a6ed87816c

  • SHA256

    734403a96fad68cb2ef2b340adddd9cadd5894007aac703dcdb4a4cb8326c538

  • SHA512

    1fc2cdccf5dd6956896d1d90e0cbdf20e02b2586b59736921de9811dafec9c6ffeeb5082a56b3dd4a13283b7a08163cbea5576bd869f7b841a801b2962ef3dfa

  • SSDEEP

    1572864:WuWJiEjJ5HXL3sPp12Elt9J/oQnQbz0Tipr4mUOzOgwLNL+mTdmOyd:W1Ji+HXL3sPyC9RoFwid4qnwZCmTdm3d

Malware Config

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\WannaCrypt0r\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

    • Target

      eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/000/[email protected]

    • Size

      6.7MB

    • MD5

      f2b7074e1543720a9a98fda660e02688

    • SHA1

      1029492c1a12789d8af78d54adcb921e24b9e5ca

    • SHA256

      4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

    • SHA512

      73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

    • SSDEEP

      3072:eaLA1++iCeFj0im6X/AXpT8vVMCcHVcdhghUuz1o9Y:fLJlC6j0CX4XmvWHVcd62uO9

    • Disables Task Manager via registry modification

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

    • Sets desktop wallpaper using registry

    • Target

      eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Antivirus Platinum/[email protected]

    • Size

      739KB

    • MD5

      382430dd7eae8945921b7feab37ed36b

    • SHA1

      c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128

    • SHA256

      70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b

    • SHA512

      26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

    • SSDEEP

      12288:kUWA3AheuswygKEOKlC0DaWL8ldxj1UT1fzosC2kyINJATi1v2yUQpf84i:kUWqistgKErL8P6VzosCfE6TNpf8D

    Score
    10/10
    • Windows security bypass

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Target

      eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/ColorBug/[email protected]

    • Size

      53KB

    • MD5

      6536b10e5a713803d034c607d2de19e3

    • SHA1

      a6000c05f565a36d2250bdab2ce78f505ca624b7

    • SHA256

      775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de

    • SHA512

      61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018

    • SSDEEP

      1536:ynqAKryDLrASOcRw52sjzIUK7RkYrJ2lrKX:SNdMT8Z8cX

    Score
    6/10
    • Target

      eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/DesktopPuzzle/[email protected]

    • Size

      239KB

    • MD5

      2f8f6e90ca211d7ef5f6cf3c995a40e7

    • SHA1

      f8940f280c81273b11a20d4bfb43715155f6e122

    • SHA256

      1f5a26f24a2bfdd301008f0cc51a6c3762f41b926f974c814f1ecaa4cb28e5e6

    • SHA512

      2b38475550edee5519e33bd18fea510ad73345a27c20f6457710498d34e3d0cf05b0f96f32d018e7dc154a6f2232ea7e3145fd0ed5fb498f9e4702a4be1bb9c8

    • SSDEEP

      3072:r/3qftCdbSFtY8Zf8pOk0rHitNWIekbnfFPsr24Cv/Eng9m3ihlCeKH6Fb6aX3WA:WoI/rC0k7ar68nimCYHe3qZr0SlC

    Score
    1/10
    • Target

      eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/FakeActivation/[email protected]

    • Size

      396KB

    • MD5

      13f4b868603cf0dd6c32702d1bd858c9

    • SHA1

      a595ab75e134f5616679be5f11deefdfaae1de15

    • SHA256

      cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7

    • SHA512

      e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

    • SSDEEP

      12288:jANwRo+mv8QD4+0V16nkFkkk2kyW9EArjaccoH0qzh4:jAT8QE+kHW9EAr+fr4i

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Happy Antivirus/[email protected]

    • Size

      1.9MB

    • MD5

      cb02c0438f3f4ddabce36f8a26b0b961

    • SHA1

      48c4fcb17e93b74030415996c0ec5c57b830ea53

    • SHA256

      64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

    • SHA512

      373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

    • SSDEEP

      49152:p/VoMTzwF77l0VqmuTefhLTtk31XyXb9:ptoMTzwVmq3ettk31ob9

    Score
    1/10
    • Target

      MEMZ 3.0/MEMZ.bat

    • Size

      12KB

    • MD5

      13a43c26bb98449fd82d2a552877013a

    • SHA1

      71eb7dc393ac1f204488e11f5c1eef56f1e746af

    • SHA256

      5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513

    • SHA512

      602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a

    • SSDEEP

      384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      MEMZ 3.0/MEMZ.exe

    • Size

      12KB

    • MD5

      a7bcf7ea8e9f3f36ebfb85b823e39d91

    • SHA1

      761168201520c199dba68add3a607922d8d4a86e

    • SHA256

      3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

    • SHA512

      89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

    • SSDEEP

      192:HMDLTxWDf/pl3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/MEMZ 3.0 (1)/MEMZ 3.0/MEMZ.bat

    • Size

      12KB

    • MD5

      13a43c26bb98449fd82d2a552877013a

    • SHA1

      71eb7dc393ac1f204488e11f5c1eef56f1e746af

    • SHA256

      5f52365accb76d679b2b3946870439a62eb8936b9a0595f0fb0198138106b513

    • SHA512

      602518b238d80010fa88c2c88699f70645513963ef4f148a0345675738cf9b0c23b9aeb899d9f7830cc1e5c7e9c7147b2dc4a9222770b4a052ee0c879062cd5a

    • SSDEEP

      384:nnLhRNiqt0kCH2LR0GPXxGiZgCz+KG/yKhLdW79HOli+lz3:nLhRN9t0SR4iZtzlREBWhuF

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/MEMZ 3.0 (1)/MEMZ 3.0/MEMZ.exe

    • Size

      12KB

    • MD5

      a7bcf7ea8e9f3f36ebfb85b823e39d91

    • SHA1

      761168201520c199dba68add3a607922d8d4a86e

    • SHA256

      3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

    • SHA512

      89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

    • SSDEEP

      192:HMDLTxWDf/pl3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/NavaShield/[email protected]

    • Size

      9.7MB

    • MD5

      1f13396fa59d38ebe76ccc587ccb11bb

    • SHA1

      867adb3076c0d335b9bfa64594ef37a7e2c951ff

    • SHA256

      83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d

    • SHA512

      82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc

    • SSDEEP

      196608:CtbTP1ErBwMQjd1YTHdmpCP2PVgP/acIE/xQ0zyZejVk+YzbRdTZ:C1E1+dYx6OP9hdyZwV4zd

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Petya.A/[email protected]

    • Size

      225KB

    • MD5

      af2379cc4d607a45ac44d62135fb7015

    • SHA1

      39b6d40906c7f7f080e6befa93324dddadcbd9fa

    • SHA256

      26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

    • SHA512

      69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

    • SSDEEP

      6144:DCyjXhd1mialK+qoNr8PxtZE6x5v+k6f:rjXhd8ZlKOrMZE6x5b6f

    Score
    6/10
    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Security Central/[email protected]

    • Size

      904KB

    • MD5

      0315c3149c7dc1d865dc5a89043d870d

    • SHA1

      f74546dda99891ca688416b1a61c9637b3794108

    • SHA256

      90c2c3944fa8933eefc699cf590ed836086deb31ee56ec71b5651fd978a352c9

    • SHA512

      7168dc244f0e400fa302801078e3faec8cdd2d3cb3b8baaab0a1b3c0929d7cf41e54bfbe530ad5ce96a6b63761f7866d26aaae788c3138c34294174091478112

    • SSDEEP

      24576:bnQv6Dyxn2Qx0KHizHWKxHuyCcZFyXR1tG:2OE2QtCzhh/7R

    • Modifies Installed Components in the registry

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    • Target

      eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Security Defender 2015/[email protected]

    • Size

      1.2MB

    • MD5

      d5e5853f5a2a5a7413f26c625c0e240b

    • SHA1

      0ced68483e7f3742a963f2507937bb7089de3ffe

    • SHA256

      415dd13c421a27ed96bf81579b112fbac05862405e9964e24ec8e9d4611d25f3

    • SHA512

      49ea9ab92ce5832e702fac6f56a7f7168f60d8271419460ed27970c4a0400e996c2ea097636fc145e355c4df5cfbf200b7bf3c691133f72e4cad228f570b91e4

    • SSDEEP

      12288:QH1eYXlVeneL/AuCeGhqzjheKTnHdQSR9wlPlVlbzl+lwlElPS3PomNX:QVZVeneLYcmiN7Q6Md3dMyuI

    Score
    3/10
    • Target

      eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/VineMEMZ-Original.exe

    • Size

      39.6MB

    • MD5

      b949ba30eb82cc79eeb7c2d64f483bcb

    • SHA1

      8361089264726bb6cff752b3c137fde6d01f4d80

    • SHA256

      5f6a8f0e85704eb30340a872eec136623e57ab014b4dd165c68dd8cd76143923

    • SHA512

      e2acd4fe7627e55be3e019540269033f65d4954831a732d7a4bd50607260cd2a238832f604fa344f04be9f70e8757a9f2d797de37b440159a16bf3a6359a759b

    • SSDEEP

      786432:1fhwEXgLYTou24XbHzjkgV5bQAH/AbkP1hn0qPQPrhBPC7wYqljbdPIa:dqgb84DPn5vhbIPdZaWljbdPIa

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Sets desktop wallpaper using registry

    • Target

      eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/WannaCrypt0r/[email protected]

    • Size

      3.4MB

    • MD5

      84c82835a5d21bbcf75a61706d8ab549

    • SHA1

      5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

    • SHA256

      ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

    • SHA512

      90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

    • SSDEEP

      98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

evasionpersistenceransomware
Score
8/10

behavioral2

evasionpersistenceransomware
Score
8/10

behavioral3

evasiontrojanupx
Score
10/10

behavioral4

evasiontrojanupx
Score
10/10

behavioral5

persistence
Score
6/10

behavioral6

persistence
Score
6/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

discoverypersistence
Score
7/10

behavioral10

discoverypersistence
Score
7/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

bootkitpersistence
Score
7/10

behavioral14

bootkitpersistence
Score
7/10

behavioral15

bootkitpersistence
Score
6/10

behavioral16

bootkitpersistence
Score
7/10

behavioral17

bootkitpersistence
Score
7/10

behavioral18

bootkitpersistence
Score
7/10

behavioral19

bootkitpersistence
Score
6/10

behavioral20

bootkitpersistence
Score
7/10

behavioral21

Score
3/10

behavioral22

discoverypersistence
Score
7/10

behavioral23

bootkitpersistence
Score
6/10

behavioral24

bootkitpersistence
Score
6/10

behavioral25

persistencespywarestealerupx
Score
7/10

behavioral26

persistenceupx
Score
8/10

behavioral27

Score
3/10

behavioral28

Score
3/10

behavioral29

Score
7/10

behavioral30

bootkitpersistenceransomware
Score
8/10

behavioral31

wannacrydiscoverypersistenceransomwarespywarestealerworm
Score
10/10

behavioral32

wannacrydiscoverypersistenceransomwarespywarestealerworm
Score
10/10