wannacry

General

Target

winmugen.exe
Size

728KB
Sample

240320-1faq4scg3y
MD5

6ab193c70ef923b6154eafb1ee2e696a
SHA1

53d593a6ddac66b983b1794f64ea97c98ead9913
SHA256

92b3b971492599d2e1b08719dd5a7859431bc743292c3395621f2bbd215e6c16
SHA512

964b880510669f1c8a7698027e706be4aefb3fc6db5115016ff261193f45f21b98f6d68d9a1c4d268b71251de483ac075a020118ae40a875f47bc6dc5e12c9a1
SSDEEP

12288:ajIz30Z/s+e9+N4mYS0x0I2fEKs7hkpOxiO0yRB1ykhIKCPHr7dES6Ync8lL:ajIz3093Y+uDS06I5KFkxid6BogIKCDf

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

- Target
  
  winmugen.exe
- Size
  
  728KB
- MD5
  
  6ab193c70ef923b6154eafb1ee2e696a
- SHA1
  
  53d593a6ddac66b983b1794f64ea97c98ead9913
- SHA256
  
  92b3b971492599d2e1b08719dd5a7859431bc743292c3395621f2bbd215e6c16
- SHA512
  
  964b880510669f1c8a7698027e706be4aefb3fc6db5115016ff261193f45f21b98f6d68d9a1c4d268b71251de483ac075a020118ae40a875f47bc6dc5e12c9a1
- SSDEEP
  
  12288:ajIz30Z/s+e9+N4mYS0x0I2fEKs7hkpOxiO0yRB1ykhIKCPHr7dES6Ync8lL:ajIz3093Y+uDS06I5KFkxid6BogIKCDf
Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies Installed Components in the registry
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Sets desktop wallpaper using registry
  ransomware
behavioral1