wannacry

General

Target

nice.bat
Size

33B
Sample

240419-21pw7shg98
MD5

8decb87920accf14b6c245852a8f8f23
SHA1

2403b19a9bb1119a8596dc833a4c59f7e9f8dd68
SHA256

ab4879058b3e32af16884069227138c229173b5af6f9e768cc0d442672e66a2f
SHA512

d22a1c685ba501efd4c3b67d21f33ed0d23197ef99e87870e279ffd3b26bbd75b1ae76dd0f77d3aca391da48a4c91e92b3b0439b306639838604cef763f17404

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@Please_Read_Me@.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

- Target
  
  nice.bat
- Size
  
  33B
- MD5
  
  8decb87920accf14b6c245852a8f8f23
- SHA1
  
  2403b19a9bb1119a8596dc833a4c59f7e9f8dd68
- SHA256
  
  ab4879058b3e32af16884069227138c229173b5af6f9e768cc0d442672e66a2f
- SHA512
  
  d22a1c685ba501efd4c3b67d21f33ed0d23197ef99e87870e279ffd3b26bbd75b1ae76dd0f77d3aca391da48a4c91e92b3b0439b306639838604cef763f17404
Score

10^/10

wannacry discovery persistence pyinstaller ransomware upx worm
- Suspicious use of NtCreateProcessExOtherParentProcess
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Downloads MZ/PE file
- Modifies Installed Components in the registry
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Modifies system executable filetype association
  persistence
- Registers COM server for autorun
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1