wannacry

Target

6a3693afc047b0dae27b852ecfddd8c03d2c8f96b37a36ac62647417747e9cd2
Size

3.4MB
Sample

240417-rphzeabf63
MD5

aadd501e7f87ad9279eec57a5ea987ca
SHA1

a378ed3f7e758e1c8389fdd33a1774ff5e38daa8
SHA256

6a3693afc047b0dae27b852ecfddd8c03d2c8f96b37a36ac62647417747e9cd2
SHA512

b22b532ae337b272a5ce1a64f3e81e03f5d1e37a19035b961675d9a0bef8af43e12fed0bfb4b510a35d894bd7803f708c02cf3606a8e1da954300902867229f9
SSDEEP

98304:DEPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3T:DEPe1Cxcxk3ZAEUadzR8yc4gD

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

- Target
  
  6a3693afc047b0dae27b852ecfddd8c03d2c8f96b37a36ac62647417747e9cd2
- Size
  
  3.4MB
- MD5
  
  aadd501e7f87ad9279eec57a5ea987ca
- SHA1
  
  a378ed3f7e758e1c8389fdd33a1774ff5e38daa8
- SHA256
  
  6a3693afc047b0dae27b852ecfddd8c03d2c8f96b37a36ac62647417747e9cd2
- SHA512
  
  b22b532ae337b272a5ce1a64f3e81e03f5d1e37a19035b961675d9a0bef8af43e12fed0bfb4b510a35d894bd7803f708c02cf3606a8e1da954300902867229f9
- SSDEEP
  
  98304:DEPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3T:DEPe1Cxcxk3ZAEUadzR8yc4gD
Score

10^/10

wannacry discovery ransomware spyware stealer worm persistence
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5