General

  • Target

    RANSOMWARE-WANNACRY-2.0-master.zip

  • Size

    3.3MB

  • Sample

    240311-q8vxmscd21

  • MD5

    017f199a7a5f1e090e10bbd3e9c885ca

  • SHA1

    4e545b77d1be2445b2f0163ab2d6f2f01ec4ca05

  • SHA256

    761e037ee186880d5f7d1f112b839818056f160a9ba60c7fb8d23d926ac0621f

  • SHA512

    76215a26588204247027dcfdab4ea583443b2b2873ff92ad7dd5e9a9037c77d20ab4e471b8dd83e642d8481f53dbc0f83f993548dc7d151dead48dc29c1fdc22

  • SSDEEP

    98304:zhvb2BVmAw0p9jIVcEj5nnZNRyA30yBSRa:zhvq7Bu6EZnZN5EyBSA

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

    • Target

      RANSOMWARE-WANNACRY-2.0-master.zip

    • Size

      3.3MB

    • MD5

      017f199a7a5f1e090e10bbd3e9c885ca

    • SHA1

      4e545b77d1be2445b2f0163ab2d6f2f01ec4ca05

    • SHA256

      761e037ee186880d5f7d1f112b839818056f160a9ba60c7fb8d23d926ac0621f

    • SHA512

      76215a26588204247027dcfdab4ea583443b2b2873ff92ad7dd5e9a9037c77d20ab4e471b8dd83e642d8481f53dbc0f83f993548dc7d151dead48dc29c1fdc22

    • SSDEEP

      98304:zhvb2BVmAw0p9jIVcEj5nnZNRyA30yBSRa:zhvq7Bu6EZnZN5EyBSA

    • Target

      RANSOMWARE-WANNACRY-2.0-master/LICENSE

    • Size

      34KB

    • MD5

      84dcc94da3adb52b53ae4fa38fe49e5d

    • SHA1

      12d81f50767d4e09aa7877da077ad9d1b915d75b

    • SHA256

      589ed823e9a84c56feb95ac58e7cf384626b9cbf4fda2a907bc36e103de1bad2

    • SHA512

      552aec8d120c9d931769f6a6b794716fce978d0055715de21746dc0f064f4a0f72b6be42d4828b98a56715b23fa427c1f66fd20aca0ef1751cc384c420db1605

    • SSDEEP

      768:Mo1acy3LTB2VsrHG/OfvMmnBCtLmJ9I7dB:MhcycsrfrnouW

    Score
    1/10
    • Target

      RANSOMWARE-WANNACRY-2.0-master/README.md

    • Size

      70B

    • MD5

      39148bc21924851d9082b687dc69e2dc

    • SHA1

      5d1e5490476227aa8877b87aad184031e19dc33a

    • SHA256

      76a94c98df32a1d37cc7f1e2b86bdc524eda3fedcdb35e57de0dd56bd976142f

    • SHA512

      2415bb9de017c086abf8315e4288a04d5eb6048af2637e75843778f24de6834154b68365794b6cbc09ef5da0fe96d5bfce20227bf3656d23b7f148fb60988041

    Score
    3/10
    • Target

      RANSOMWARE-WANNACRY-2.0-master/Ransomware.WannaCry.zip

    • Size

      3.3MB

    • MD5

      efe76bf09daba2c594d2bc173d9b5cf0

    • SHA1

      ba5de52939cb809eae10fdbb7fac47095a9599a7

    • SHA256

      707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

    • SHA512

      4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

    • SSDEEP

      98304:vhvb2BVmAw0p9jIVcEj5nnZNRyA30yBSRT:vhvq7Bu6EZnZN5EyBSN

    Score
    1/10
    • Target

      ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

    • Size

      3.4MB

    • MD5

      84c82835a5d21bbcf75a61706d8ab549

    • SHA1

      5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

    • SHA256

      ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

    • SHA512

      90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

    • SSDEEP

      98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks