wannacry

General

Target

WannaCry-main.zip
Size

3.3MB
Sample

240311-tmz61sbb47
MD5

3c7861d067e5409eae5c08fd28a5bea2
SHA1

44e4b61278544a6a7b8094a0615d3339a8e75259
SHA256

07ecdced8cf2436c0bc886ee1e49ee4b8880a228aa173220103f35c535305635
SHA512

c2968e30212707acf8a146b25bb29c9f5d779792df88582b03431a0034dc82599f58d61fc9494324cc06873e5943f8c29bffd0272ca682d13c0bb10482d79fc5
SSDEEP

98304:yvB7TUkt1NCLt2SUlW/6GQkBhLp0ClD/5vVayInJOo3s:yvjNct2TW/rQk6CN1VayQUoc

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\WannaCry-main\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Targets

- Target
  
  WannaCry-main.zip
- Size
  
  3.3MB
- MD5
  
  3c7861d067e5409eae5c08fd28a5bea2
- SHA1
  
  44e4b61278544a6a7b8094a0615d3339a8e75259
- SHA256
  
  07ecdced8cf2436c0bc886ee1e49ee4b8880a228aa173220103f35c535305635
- SHA512
  
  c2968e30212707acf8a146b25bb29c9f5d779792df88582b03431a0034dc82599f58d61fc9494324cc06873e5943f8c29bffd0272ca682d13c0bb10482d79fc5
- SSDEEP
  
  98304:yvB7TUkt1NCLt2SUlW/6GQkBhLp0ClD/5vVayInJOo3s:yvjNct2TW/rQk6CN1VayQUoc
Score

1^/10
behavioral1
- Target
  
  WannaCry-main/.github/FUNDING.yml
- Size
  
  879B
- MD5
  
  148a8212d916df277b94ff7293ebaf93
- SHA1
  
  6017fb2ca1094abbab2e4b7493906334a98afdf2
- SHA256
  
  a718485e8f9d87fe04684f8e8e295e4e2f1c686691d467adfc10f83a0d277dc0
- SHA512
  
  4e4ebf456ef5d41c72cab28082b89134ff4393bfd439fd4f22607b08ae4b06588a2832f1d2bfb69404903ebd05c5f2ac1171a2e66c9f697d777c941b6d243400
Score

3^/10
behavioral2
- Target
  
  WannaCry-main/LICENSE
- Size
  
  34KB
- MD5
  
  1ebbd3e34237af26da5dc08a4e440464
- SHA1
  
  31a3d460bb3c7d98845187c716a30db81c44b615
- SHA256
  
  3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986
- SHA512
  
  d361e5e8201481c6346ee6a886592c51265112be550d5224f1a7a6e116255c2f1ab8788df579d9b8372ed7bfd19bac4b6e70e00b472642966ab5b319b99a2686
- SSDEEP
  
  768:Fo1acy3LTB2VsrHG/OfvMmnBCtLmJ9A7J:Fhcycsrfrnoum
Score

1^/10
behavioral3
- Target
  
  WannaCry-main/README.md
- Size
  
  678B
- MD5
  
  d5cf8ac826abe3f1161ef2266d121b89
- SHA1
  
  79a81c5e801e16625a42c5b58e6e74d532d30a4b
- SHA256
  
  30f48639e02b2891005bd9520dcfdd70edd2da7de690ce7f38a054c91e5f4bc4
- SHA512
  
  7027bdbcb666cbfe556ddea300d433e0542b75fe673496c4353cc61d12a141b2c413e4c291ed58eef29da19955f494314f9631017840d05445b44b1c7ba4bf0e
Score

3^/10
behavioral4
- Target
  
  WannaCry-main/WannaCry.EXE
- Size
  
  3.4MB
- MD5
  
  84c82835a5d21bbcf75a61706d8ab549
- SHA1
  
  5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
- SHA256
  
  ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
- SHA512
  
  90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
- SSDEEP
  
  98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral5