wannacry

General

Target

1635452090191517096.ico
Size

229KB
Sample

240411-wpjyxsgh37
MD5

30d065cb2bf733456114f25755cfc795
SHA1

fcdcb0fad3af9f3d9f2192dc56178b61eea3b660
SHA256

922a1d2631866ed3a8d2343d578d1daad53a5f220a72271fe3f0526f7972a402
SHA512

42ccb3e1d4c0ac243eee437c345cfe6f20e77548c05bbfb5b0d0d2101201e2da75b3e492978cb4a00cff4e07b64b52967843f9721aed50658adcb7298a125e1b
SSDEEP

6144:BYvBOoisQ+/mKCKtJnBKCvsUFhSh6euW+PJZmz:mM4NvBK0sCheKW+PJZmz

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Targets

- Target
  
  1635452090191517096.ico
- Size
  
  229KB
- MD5
  
  30d065cb2bf733456114f25755cfc795
- SHA1
  
  fcdcb0fad3af9f3d9f2192dc56178b61eea3b660
- SHA256
  
  922a1d2631866ed3a8d2343d578d1daad53a5f220a72271fe3f0526f7972a402
- SHA512
  
  42ccb3e1d4c0ac243eee437c345cfe6f20e77548c05bbfb5b0d0d2101201e2da75b3e492978cb4a00cff4e07b64b52967843f9721aed50658adcb7298a125e1b
- SSDEEP
  
  6144:BYvBOoisQ+/mKCKtJnBKCvsUFhSh6euW+PJZmz:mM4NvBK0sCheKW+PJZmz
Score

10^/10

wannacry discovery evasion persistence ransomware spyware stealer trojan worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Downloads MZ/PE file
- Sets file execution options in registry
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1