General
-
Target
2024-04-13_62df3bbc2aaeddab1942f1ed0b2db429_wannacry
-
Size
19.9MB
-
Sample
240414-aa52yseg61
-
MD5
62df3bbc2aaeddab1942f1ed0b2db429
-
SHA1
a31b35f778fa5bec3a09b215db38d891fa45510d
-
SHA256
1d2822a34aa548e8e890e33b66cf6722e0bdb82944dae1b53feaf902790c5254
-
SHA512
6ab2b5f72db8b6e386c142e330807bd2eec9983c04ab034c4011c053a5be0294514f06693c66a9f8b6bcc7b60d1646810f7c2cda4379b6cdbda2f9d5d047bfdd
-
SSDEEP
393216:jDLmcuBUDiQv3FlGzbhweRo3W6aJZCN7TW/0k6CN1VWtES:jflGw3F6dwijJZCN2sA1Vc
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-13_62df3bbc2aaeddab1942f1ed0b2db429_wannacry.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-04-13_62df3bbc2aaeddab1942f1ed0b2db429_wannacry.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
xworm
5.0
TcK6iKFmjhETcMYi
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/RqgnZ1zk
Extracted
xworm
tr1.localto.net:39186
-
Install_directory
%ProgramData%
-
install_file
Microsoft Storge.exe
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
xtremerat
antonioxx.no-ip.org
Extracted
njrat
im523
gg
5.tcp.eu.ngrok.io:13017
8b094ade9743639b941a0474f6aa7525
-
reg_key
8b094ade9743639b941a0474f6aa7525
-
splitter
|'|'|
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Targets
-
-
Target
2024-04-13_62df3bbc2aaeddab1942f1ed0b2db429_wannacry
-
Size
19.9MB
-
MD5
62df3bbc2aaeddab1942f1ed0b2db429
-
SHA1
a31b35f778fa5bec3a09b215db38d891fa45510d
-
SHA256
1d2822a34aa548e8e890e33b66cf6722e0bdb82944dae1b53feaf902790c5254
-
SHA512
6ab2b5f72db8b6e386c142e330807bd2eec9983c04ab034c4011c053a5be0294514f06693c66a9f8b6bcc7b60d1646810f7c2cda4379b6cdbda2f9d5d047bfdd
-
SSDEEP
393216:jDLmcuBUDiQv3FlGzbhweRo3W6aJZCN7TW/0k6CN1VWtES:jflGw3F6dwijJZCN2sA1Vc
-
Detect XtremeRAT payload
-
Detect Xworm Payload
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects executables manipulated with Fody
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
-
ModiLoader Second Stage
-
UPX dump on OEP (original entry point)
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2